← Back to Skills Marketplace
frank-bot07

@openclaw/orchestration

by frank-bot07 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
602
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-orchestration
Description
Framework for coordinating multi-agent tasks with atomic claims, dependencies, retries, and markdown task visibility using a shared SQLite queue.
Usage Guidance
This skill appears to implement what it says (a local SQLite multi-agent queue) but it's not production-ready as-is. Before installing or running it: - Review and, if possible, run the included tests in an isolated environment (the repository includes tests). They exercise most critical paths. - Address the CODEX_REVIEW issues (wrap multi-statement DB changes in transactions, enforce agent max_concurrent, ensure backup/restore await/close DB properly). These are correctness and data-integrity fixes, not evidence of malicious behavior. - Be aware the code imports '../../interchange/src/index.js' — the skill expects a sibling 'interchange' module to be present; if you don't have that, refresh/CLI may fail or, if present, will execute that external code. Validate that path and ensure only trusted code exists there. - Because this uses better-sqlite3 (native module), install/build may require a C++ toolchain or prebuilt binaries; test installation in your target environment first. - Run the CLI commands (claim/complete/sweep/refresh/backup/restore) in a controlled environment and back up any important data — restore can overwrite the live DB file and sweep/complete mutate state. If you need to use this skill in production, require the maintainer to fix the high/critical issues and either declare a dependency on @openclaw/interchange or vendor the required interchange functions to avoid cross-directory imports. If you lack the capability to audit or patch these issues, treat this package as untrusted for production workloads.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-orchestration Version: 1.0.0 The skill is classified as suspicious due to multiple critical and high-severity vulnerabilities identified in the `CODEX_REVIEW.md` and confirmed by analysis. These include race conditions and lack of transactional integrity in `src/queue.js` (e.g., `claimTask`, `createTask`, `completeTask`, `failTask`), potential database corruption during restore in `src/backup.js`, and a failure to enforce `max_concurrent` limits in `src/queue.js`. While these issues could lead to data inconsistency, operational failures, or bypass of intended controls, they do not demonstrate clear evidence of intentional malicious behavior such as data exfiltration, backdoors, or unauthorized remote code execution. The `SKILL.md` and `README.md` do not contain prompt injection attempts with harmful objectives.
Capability Assessment
Purpose & Capability
Name/description match the code: a SQLite-backed task queue with claiming, dependencies, retries, sweep, and markdown interchange generation. Declared dependencies (better-sqlite3, commander, uuid) and the CLI align with that purpose. Two concerns: (1) src/interchange.js imports '../../interchange/src/index.js' — a relative, out-of-package import that requires a sibling 'interchange' module to exist but is not declared in package.json; this is an implicit external dependency and brittle design. (2) package-lock includes native modules (better-sqlite3) which require native build/runtime support; that is expected but worth noting for deployment.
Instruction Scope
SKILL.md and the CLI instruct only local actions (npm install, run node src/cli.js commands). The code reads/writes a local DB (data/orchestration.db), writes .md interchange files, and exposes backup/restore that overwrite local DB files. There is no attempt to read environment secrets or contact external network endpoints in the provided source. However: the interchange import reaches outside the package (../../interchange/...), and refresh generates files in an 'interchange' tree — the SKILL.md does not call out that refresh will rely on an external sibling module, nor that files will be written to the repository filesystem. The CLI 'restore' and backup functions can overwrite the live DB file; the README/CLI warn about WAL but these operations still carry data-loss risk if misused.
Install Mechanism
There is no special install script in the skill registry; the SKILL.md recommends running 'npm install' which will fetch packages from the npm registry (better-sqlite3, commander, uuid). No downloads from arbitrary URLs or shorteners are used. Note: better-sqlite3 is a native module and may run build/install steps (prebuild-install) — this is normal but requires build toolchain on the host.
Credentials
The skill declares no required environment variables, no credentials, and no special config paths. The code operates on local filesystem paths under the skill (data/, interchange/) and uses no external API keys. This is proportionate to an on-disk orchestration tool.
Persistence & Privilege
The skill does not request always:true or any elevated platform privileges. It will run CLI commands and modify files under its data/interchange directories. One caveat: the source imports code via a relative path that crosses upward and into a sibling 'interchange' directory ('../../interchange/src/index.js'), which means at runtime it could execute code from other skill directories if those exist in the same filesystem — this is a design fragility that could lead to surprising cross-skill execution if the repository layout differs from expectations.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-orchestration
  3. After installation, invoke the skill by name or use /openclaw-orchestration
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Multi-agent task queue. 13 tests.
Metadata
Slug openclaw-orchestration
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is @openclaw/orchestration?

Framework for coordinating multi-agent tasks with atomic claims, dependencies, retries, and markdown task visibility using a shared SQLite queue. It is an AI Agent Skill for Claude Code / OpenClaw, with 602 downloads so far.

How do I install @openclaw/orchestration?

Run "/install openclaw-orchestration" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is @openclaw/orchestration free?

Yes, @openclaw/orchestration is completely free (open-source). You can download, install and use it at no cost.

Which platforms does @openclaw/orchestration support?

@openclaw/orchestration is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created @openclaw/orchestration?

It is built and maintained by frank-bot07 (@frank-bot07); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments