← 返回 Skills 市场
83
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install swarm-sprint
功能描述
Parallel multi-agent coding sprints using git worktree isolation. Use when running 2+ coding tasks on a repository that touch different parts of the codebase...
安全使用建议
This skill appears to do what it says (create isolated git worktrees, generate per-task agent packages, and coordinate merges), but take these precautions before using it on important repositories:
- Review the full, untruncated scripts/swarm.js file before running. The provided copy is truncated in the manifest; any hidden code could change the risk profile.
- Run in --dry-run or --plan-only first to see planned worktrees and groups without touching disk or branches. Inspect generated swarm-packages.json before spawning agents.
- Only run on a local clone or a disposable environment (not directly on a production checkout). Prefer a sandbox or CI workspace and ensure you have a backup/clean branch to recover.
- Validate and sanitize task inputs. The script builds branch names and filesystem paths using task.id and repo path; a malicious or malformed task id could cause unexpected branch names or file paths. Do not accept tasks from untrusted sources without validation.
- Be cautious about cleanup fallback: the script attempts rm -rf on worktree paths if git removal fails. Do not run as root and confirm the computed worktree paths are safe before allowing cleanup to run.
- Consider agent/network privileges: spawning multiple subagents increases the number of processes with access to repository content and any network egress those agents have. Limit agent network and secret access if possible.
- Confirm the coordinator (human or automated) reviews diffs before merge; the skill's safety relies on that step. Use git push/policy controls rather than allowing automated pushes from worker environments.
If you need higher assurance, ask the publisher for the full, untruncated script and a short security note describing path sanitization and any safety checks they perform.
功能分析
Type: OpenClaw Skill
Name: swarm-sprint
Version: 1.0.1
The skill implements a parallel multi-agent coding workflow using git worktrees but contains a critical shell injection vulnerability in `scripts/swarm.js`. The script executes shell commands via `bash -c` using unsanitized input from the `tasks.json` file (specifically the `id` field) when creating and cleaning up worktrees. While the tool's logic appears intended for legitimate coordination and includes safety instructions for sub-agents in `SKILL.md`, the lack of input validation in command construction allows for arbitrary command execution if a task ID contains shell metacharacters.
能力标签
能力评估
Purpose & Capability
Name/description describe parallel multi-agent sprints using git worktrees; the included script runs git worktree, creates branches, generates agent packages, and instructs spawning subagents. No unrelated credentials, binaries, or external services are required — this is proportionate to the stated purpose.
Instruction Scope
SKILL.md and scripts instruct creating/removing worktrees, committing from subagents, and writing sprint logs. This is expected, but the script executes shell/git commands (git worktree add/remove, git branch -D, git worktree prune) and falls back to rm -rf for manual cleanup. Task IDs and repoPath are used to build branch names and filesystem paths: if untrusted task inputs are used, that could lead to unexpected filesystem operations or destructive rm -rf behavior. Also spawning multiple subagents increases the blast radius (many agents having access to repo contents and any network outlet).
Install Mechanism
There is no install spec (instruction-only skill with a shipped script). Nothing is downloaded or installed by the registry metadata — lowest install risk.
Credentials
The skill declares no required environment variables or credentials. The script runs git and shell commands and defaults repoPath to the current working directory; no secret access is requested by the skill itself. However, subagents spawned per the instructions may have access to environment or network depending on your agent platform's configuration — that is an operational concern, not an inconsistency with the skill's declared requirements.
Persistence & Privilege
always:false and no attempt to modify other skills or system-wide agent settings. The skill writes swarm-packages.json and a sprint log and creates/deletes git worktrees and branches — these are expected for a coordinator tool and scoped to the repository/worktree area.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install swarm-sprint - 安装完成后,直接呼叫该 Skill 的名称或使用
/swarm-sprint触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Improved description: explains worktree isolation and conflict planning vs naive parallel agents
v1.0.0
Initial release: parallel multi-agent coding sprints with git worktree isolation
元数据
常见问题
Swarm Sprint 是什么?
Parallel multi-agent coding sprints using git worktree isolation. Use when running 2+ coding tasks on a repository that touch different parts of the codebase... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 83 次。
如何安装 Swarm Sprint?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install swarm-sprint」即可一键安装,无需额外配置。
Swarm Sprint 是免费的吗?
是的,Swarm Sprint 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Swarm Sprint 支持哪些平台?
Swarm Sprint 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Swarm Sprint?
由 JDH3(@jdh3)开发并维护,当前版本 v1.0.1。
推荐 Skills