epic-ai-swarm-orchestration 安全扫描报告 — 低风险 | ClawSafe

20 /100

epic-ai-swarm-orchestration

Multi-agent AI swarm orchestration system for parallel coding tasks with automatic tmux tracking, endorsement gates, integration merging, and Telegram notifications.

Legitimate multi-agent swarm orchestration system with undocumented but standard shell/filesystem/network operations; bypassPermissions and auto-endorsement in batch mode are concerning but documented behavior.

技能名称epic-ai-swarm-orchestration

分析耗时81.7s

引擎pi

✓

可以安装

Declare bypassPermissions usage and auto-endorsement in SKILL.md. Consider documenting allowed-tools mapping explicitly. Add version pinning to agent CLIs (claude, codex, gemini) referenced in scripts.

安全发现 6 项

严重性	安全发现	位置
中危	bypassPermissions not declared in SKILL.md 文档欺骗 spawn-agent.sh spawns Claude agents with --permission-mode bypassPermissions, which is a significant privilege elevation. SKILL.md describes the endorsement system but never mentions that spawned agents run with permission bypass. While this is necessary for automated agent operation, the lack of declaration is a doc-to-code mismatch. `claude --model "$model" --permission-mode bypassPermissions --print "$PROMPT"` → Add a 'Security Notes' or 'Permissions' section to SKILL.md explicitly stating that spawned Claude agents run with bypassPermissions, and that this is required for automated non-interactive operation.	`scripts/spawn-agent.sh:178`
中危	Auto-endorsement bypasses human approval gate 权限提升 spawn-batch.sh uses 'endorse-task.sh --batch' which auto-endorses all tasks in a batch without requiring the 30-second cooldown or explicit per-task endorsement. The script comments explain this is for verbal batch approval, but SKILL.md hard rules only mention 'endorse-task.sh', not the --batch shortcut. A malicious orchestrator could exploit this to auto-spawn without presenting the plan. `"$ENDORSE_SCRIPT" --batch "$TASK_ID" >/dev/null` → Document the --batch endorsement mechanism in SKILL.md hard rules section, and add a confirmation step or audit trail for batch auto-endorsement.	`scripts/spawn-batch.sh:89`
低危	Dynamic script generation not documented 文档欺骗 spawn-agent.sh dynamically generates runner scripts (spawn-agent.sh:170-224) with heredoc syntax, substitutes variables via sed, and executes them. SKILL.md describes 'spawn-agent.sh <args>' as a simple invocation without mentioning the internal script generation. This is a non-security issue but contributes to doc-code mismatch. `cat > "$RUNNER_SCRIPT" << 'RUNNER_HEREDOC_EOF' ... sed -i ... "$RUNNER_SCRIPT"` → Document internal script generation in SKILL.md or add a 'How it works' section explaining the runner script mechanism.	`scripts/spawn-agent.sh:170`
低危	Agent CLIs not pinned to versions 供应链 Scripts reference 'claude', 'codex', 'gemini' without version constraints. model-fallback.sh and assess-models.sh test availability at runtime, and assess-models.sh can update duty-table.json with different model names. An attacker with control over model names in the duty table could redirect to a different model or command injection if model names are not validated. `FALLBACK_CHAINS[architect]="claude:claude-opus-4-6 ..."` → Validate agent/model names against an allowlist before using them in commands. Pin CLI versions where possible.	`scripts/model-fallback.sh:30`
低危	Spawned agent prompts include untrusted work log content 提示注入 Reviewer and integrator prompts inject the content of /tmp/worklog-{session}.md files directly into the LLM prompt via heredoc. If an attacker-controlled task could write malicious content to a work log, it could influence the reviewer's behavior. The same applies to task descriptions loaded from external files. `WORKLOG_CONTENT=$(cat "$WORKLOG") ... $WORKLOG_CONTENT` → Treat work log content as untrusted input; consider sanitization or using a separate context channel rather than direct injection into the prompt.	`scripts/notify-on-complete.sh:187`
低危	Sources user bashrc at startup 敏感访问 spawn-agent.sh and assess-models.sh source $HOME/.bashrc, which may contain user-specific environment variables, aliases, or PATH modifications. While this is common for shell tools, it could introduce unexpected behavior or conflict with sandboxing. `[ -f "$HOME/.bashrc" ] && source "$HOME/.bashrc" 2>/dev/null \|\| true` → Document that sourcing .bashrc is expected behavior. Consider documenting this in SKILL.md setup section.	`scripts/spawn-agent.sh:18`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✓ 一致	spawn-agent.sh:178-224 dynamically generates runner scripts executed via bash
文件系统	`NONE`	`WRITE`	✓ 一致	spawn-agent.sh writes to SWARM_DIR, PROJECT_DIR, duty-table.json
网络访问	`NONE`	`READ`	✓ 一致	deploy-notify.sh polls GitHub Actions API via gh CLI
环境变量	`NONE`	`READ`	✓ 一致	spawn-agent.sh sources $HOME/.bashrc and reads SWARM_NOTIFY_TARGET, SWARM_MAX_CO…
技能调用	`NONE`	`WRITE`	✓ 一致	notify-on-complete.sh spawns reviewer agents; integration-watcher.sh spawns inte…

目录结构

44 文件 · 208.4 KB · 5203 行

Shell 22f · 3341L Markdown 21f · 1669L JSON 1f · 193L

├─ ▾ 📁 docs

│ ├─ ▾ 📁 decisions

│ │ └─ 📝 2026-03-28.md Markdown 11L · 505 B

│ ├─ ▾ 📁 history

│ │ ├─ 📝 2026-03-28-claude-swarm-cleanup.md Markdown 28L · 1.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-decisions.md Markdown 28L · 1.6 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-e2e-test.md Markdown 29L · 1.5 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-e2e-v301.md Markdown 29L · 1.5 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-escalation.md Markdown 30L · 2.0 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-handoff.md Markdown 42L · 2.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-inbox.md Markdown 49L · 2.6 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-maxconcurrent.md Markdown 68L · 5.2 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-planformat.md Markdown 30L · 1.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-standup.md Markdown 29L · 1.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-statemachine.md Markdown 63L · 4.2 KB

│ │ └─ 📝 2026-03-28-integration.md Markdown 463L · 29.0 KB

│ └─ 📝 ESR.md Markdown 79L · 3.7 KB

├─ ▾ 📁 references

│ ├─ 📝 duty-table.md Markdown 117L · 3.6 KB

│ ├─ 📝 eor-template.md Markdown 28L · 420 B

│ ├─ 📝 tools.md Markdown 111L · 3.4 KB

│ └─ 📝 workflow.md Markdown 113L · 3.8 KB

├─ ▾ 📁 roles

│ └─ ▾ 📁 swarm-lead

│ ├─ 📝 ROLE.md Markdown 125L · 6.5 KB

│ └─ 📝 TOOLS.md Markdown 61L · 2.5 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 assess-models.sh Shell 279L · 10.9 KB

│ ├─ 🔧 check-agents.sh Shell 94L · 3.2 KB

│ ├─ 🔧 cleanup.sh Shell 220L · 6.3 KB

│ ├─ 🔧 daily-standup.sh Shell 182L · 5.5 KB

│ ├─ 🔧 deploy-notify.sh Shell 58L · 1.9 KB

│ ├─ 📋 duty-table.template.json JSON 193L · 10.3 KB

│ ├─ 🔧 endorse-task.sh Shell 40L · 1.2 KB

│ ├─ 🔧 esr-log.sh Shell 100L · 2.9 KB

│ ├─ 🔧 fallback-swap.sh Shell 132L · 4.5 KB

│ ├─ 🔧 inbox-add.sh Shell 63L · 1.9 KB

│ ├─ 🔧 inbox-clear.sh Shell 74L · 1.7 KB

│ ├─ 🔧 inbox-list.sh Shell 52L · 1.0 KB

│ ├─ 🔧 integration-watcher.sh Shell 366L · 13.0 KB

│ ├─ 🔧 migrate-orphaned-tasks.sh Shell 67L · 1.9 KB

│ ├─ 🔧 model-fallback.sh Shell 66L · 2.6 KB

│ ├─ 🔧 notify-on-complete.sh Shell 418L · 16.7 KB

│ ├─ 🔧 pulse-check.sh Shell 167L · 5.6 KB

│ ├─ 🔧 queue-watcher.sh Shell 122L · 4.2 KB

│ ├─ 🔧 spawn-agent.sh Shell 392L · 12.6 KB

│ ├─ 🔧 spawn-batch.sh Shell 248L · 8.7 KB

│ ├─ 🔧 start-integration.sh Shell 61L · 2.0 KB

│ ├─ 🔧 try-model.sh Shell 33L · 1023 B

│ └─ 🔧 update-task-status.sh Shell 107L · 3.1 KB

└─ 📝 SKILL.md Markdown 136L · 5.1 KB

依赖分析 8 项

包名	版本	来源	已知漏洞	备注
`bash`	`4+`	system	否	Required shell; macOS ships bash 3.x, upgrade recommended
`tmux`	`any`	system	否	Terminal multiplexing for agent isolation
`git + gh`	`any`	system	否	Version control and PR creation
`jq`	`any`	system	否	JSON processing
`claude CLI`	`unpinned`	external	否	Claude Code CLI; version not pinned in scripts
`codex CLI`	`unpinned`	external	否	OpenAI Codex CLI; version not pinned in scripts
`gemini CLI`	`unpinned`	external	否	Google Gemini CLI; version not pinned in scripts
`openclaw`	`any`	optional	否	Optional notification tool (Telegram/Discord)

安全亮点

✓ No credential harvesting or exfiltration — network calls limited to GitHub Actions API and Telegram notifications

✓ No obfuscation, base64-encoded payloads, or hidden instructions found

✓ No reverse shell, C2 infrastructure, or direct IP network connections

✓ Endorsement system provides a human-in-the-loop approval gate before spawning

✓ Git operations scoped to project directory; no access to ~/.ssh, ~/.aws, or .env files

✓ Cleanup script removes stale temp files and endorsement files

✓ No cron/scheduled task persistence mechanisms

✓ Dependencies are standard tools (bash, tmux, git, gh, jq, python3) — no external pip/npm packages

✓ No typosquatting or malicious supply chain indicators