Multi-agent orchestration for complex TypeScript/Next.js/Convex projects. Phased builds, functional verification, the full playbook for delegating to sub-agents without chaos.
Security Analysis
medium confidenceThe instructions and docs match the stated multi-agent orchestration purpose, but the skill asks sub-agents to run without timeouts and implies end-to-end checks that would require secrets (Stripe, Clerk, Convex, Resend, etc.) while declaring no required environment variables — this mismatch warrants caution before use.
The name/description (multi-agent orchestration for TypeScript/Next.js/Convex) align with the provided SKILL.md, CODING-STANDARDS.md, CONTRACTS-TEMPLATE.md, and TECH-REQ.md. All content is about project scaffolding, phased builds, functional verification and agent coordination; there are no unrelated requests for cloud credentials, tooling, or system-level access in the manifest.
The runtime instructions are detailed and stay within the stated purpose (bootstrap, generate Convex types, run builds, spawn sub-agents with file ownership rules, run E2E verifications). However the SUB-AGENT POLICY demands 'No Timeouts' (unbounded runtimes) which increases operational risk if an agent runs long or attempts arbitrary work. The instructions also require running dev servers, browser smoke tests, webhook verification and payment flow checks — legitimate for E2E testing but potentially able to trigger network calls or require sensitive credentials.
Instruction-only skill with no install spec and no code executed by the platform. This minimizes installation risk (nothing downloaded or written by the skill installer).
The skill declares no required env vars, yet TECH-REQ examples and the E2E checklist reference many service integrations (NEXT_PUBLIC_CONVEX_URL, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, RESEND_API_KEY, Clerk config, etc.). Verifying webhooks, payments, and auth flows will practically require access to those secrets or test equivalents — the manifest does not request them, creating a gap: either the agent will be unable to complete tasks, or someone must provide sensitive credentials manually. This mismatch is a notable proportionality concern.
The skill is not always-enabled and does not request any privileged platform flags. It is user-invocable and allows autonomous agent invocation by default (normal). There is no install-time persistence or modification of other skills' configs indicated.
Guidance
What to consider before installing or running this skill: - The skill is an instruction-only playbook for coordinating multi-agent development and mostly matches its stated purpose — it doesn't download code or ask for platform installs. - However, the SKILL.md explicitly asks sub-agents to run without time limits. Prefer to keep platform-enforced timeouts or otherwise gate long-running work; do not blindly allow unbounded agent execution. - The workflow expects end-to-end verification (webhooks, payments, auth). Those checks require secrets/API keys (Stripe, Clerk, Convex URL, Resend, etc.). The skill does not declare or request those credentials, so you must not provide production secrets to the agent. If you want it to run E2E tests, create ephemeral/test credentials and run in an isolated/dev environment. - Because the source is unknown and there's no homepage, verify these docs against your codebase and run the skill only on a non-production repository or a sandboxed environment (CI runner, local VM, or ephemeral staging). - Recommended mitigations: supply only test keys, restrict network access for agent runs where possible, keep timeouts enforced at the platform level, and review any outputs before committing or deploying changes the agents produce. Confidence note: assessment is medium confidence — the content is coherent with the described purpose, but the missing explicit credential requirements combined with the 'no timeouts' rule creates practical and safety ambiguities that justify caution.
Latest Release
v0.1.0
web-architecture 0.1.0 - Initial release introducing a structured, multi-phase workflow for orchestrating large TypeScript/Next.js/Convex projects using multiple agents. - Defines strict agent spawn order, directory structure, and locking rules to avoid code conflicts and duplication. - Emphasizes functional verification over compilation, with explicit requirements for UI, backend, and E2E testing. - Includes policies for schema ownership, code handoff, and parallelization best practices. - Provides templates and checklists for each development phase, ensuring quality and coordination.
More by @michaelmonetized
Published by @michaelmonetized on ClawHub
