← Back to Skills Marketplace
83
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install swarm-sprint
Description
Parallel multi-agent coding sprints using git worktree isolation. Use when running 2+ coding tasks on a repository that touch different parts of the codebase...
Usage Guidance
This skill appears to do what it says (create isolated git worktrees, generate per-task agent packages, and coordinate merges), but take these precautions before using it on important repositories:
- Review the full, untruncated scripts/swarm.js file before running. The provided copy is truncated in the manifest; any hidden code could change the risk profile.
- Run in --dry-run or --plan-only first to see planned worktrees and groups without touching disk or branches. Inspect generated swarm-packages.json before spawning agents.
- Only run on a local clone or a disposable environment (not directly on a production checkout). Prefer a sandbox or CI workspace and ensure you have a backup/clean branch to recover.
- Validate and sanitize task inputs. The script builds branch names and filesystem paths using task.id and repo path; a malicious or malformed task id could cause unexpected branch names or file paths. Do not accept tasks from untrusted sources without validation.
- Be cautious about cleanup fallback: the script attempts rm -rf on worktree paths if git removal fails. Do not run as root and confirm the computed worktree paths are safe before allowing cleanup to run.
- Consider agent/network privileges: spawning multiple subagents increases the number of processes with access to repository content and any network egress those agents have. Limit agent network and secret access if possible.
- Confirm the coordinator (human or automated) reviews diffs before merge; the skill's safety relies on that step. Use git push/policy controls rather than allowing automated pushes from worker environments.
If you need higher assurance, ask the publisher for the full, untruncated script and a short security note describing path sanitization and any safety checks they perform.
Capability Analysis
Type: OpenClaw Skill
Name: swarm-sprint
Version: 1.0.1
The skill implements a parallel multi-agent coding workflow using git worktrees but contains a critical shell injection vulnerability in `scripts/swarm.js`. The script executes shell commands via `bash -c` using unsanitized input from the `tasks.json` file (specifically the `id` field) when creating and cleaning up worktrees. While the tool's logic appears intended for legitimate coordination and includes safety instructions for sub-agents in `SKILL.md`, the lack of input validation in command construction allows for arbitrary command execution if a task ID contains shell metacharacters.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description describe parallel multi-agent sprints using git worktrees; the included script runs git worktree, creates branches, generates agent packages, and instructs spawning subagents. No unrelated credentials, binaries, or external services are required — this is proportionate to the stated purpose.
Instruction Scope
SKILL.md and scripts instruct creating/removing worktrees, committing from subagents, and writing sprint logs. This is expected, but the script executes shell/git commands (git worktree add/remove, git branch -D, git worktree prune) and falls back to rm -rf for manual cleanup. Task IDs and repoPath are used to build branch names and filesystem paths: if untrusted task inputs are used, that could lead to unexpected filesystem operations or destructive rm -rf behavior. Also spawning multiple subagents increases the blast radius (many agents having access to repo contents and any network outlet).
Install Mechanism
There is no install spec (instruction-only skill with a shipped script). Nothing is downloaded or installed by the registry metadata — lowest install risk.
Credentials
The skill declares no required environment variables or credentials. The script runs git and shell commands and defaults repoPath to the current working directory; no secret access is requested by the skill itself. However, subagents spawned per the instructions may have access to environment or network depending on your agent platform's configuration — that is an operational concern, not an inconsistency with the skill's declared requirements.
Persistence & Privilege
always:false and no attempt to modify other skills or system-wide agent settings. The skill writes swarm-packages.json and a sprint log and creates/deletes git worktrees and branches — these are expected for a coordinator tool and scoped to the repository/worktree area.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install swarm-sprint - After installation, invoke the skill by name or use
/swarm-sprint - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Improved description: explains worktree isolation and conflict planning vs naive parallel agents
v1.0.0
Initial release: parallel multi-agent coding sprints with git worktree isolation
Metadata
Frequently Asked Questions
What is Swarm Sprint?
Parallel multi-agent coding sprints using git worktree isolation. Use when running 2+ coding tasks on a repository that touch different parts of the codebase... It is an AI Agent Skill for Claude Code / OpenClaw, with 83 downloads so far.
How do I install Swarm Sprint?
Run "/install swarm-sprint" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Swarm Sprint free?
Yes, Swarm Sprint is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Swarm Sprint support?
Swarm Sprint is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Swarm Sprint?
It is built and maintained by JDH3 (@jdh3); the current version is v1.0.1.
More Skills