OpenTangl
WarnAudited by ClawScan on May 10, 2026.
Overview
OpenTangl is openly an autonomous development workflow, but it asks to use authenticated GitHub tooling to create and merge changes across repos without enough visible per-merge guardrails.
Install and run this only on repositories you are willing to let an autonomous tool modify. Use least-privilege GitHub credentials, require branch protection and manual approval before merges, review generated configuration and vision files, and inspect the upstream OpenTangl repository before running npm install.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad generated change could be committed or merged into a real repository without the user reviewing that specific change first.
The skill is explicitly designed to perform high-impact repository actions automatically; the visible instructions do not show a mandatory human approval step before each merge.
it plans features, writes code, verifies builds, creates PRs, reviews diffs, and merges — autonomously
Use branch protections, require manual PR approval before merge, run in a test repository first, and restrict the tool to selected repos and branches.
If the GitHub session has broad permissions, OpenTangl could act with those permissions across more repositories than the user intended.
This shows the workflow relies on the user's authenticated GitHub CLI identity for write/merge actions, but the artifacts do not describe required token scopes, allowed repositories, or privilege limits.
GitHub CLI — run `gh auth status` and show the output (needed for PR creation and merging)
Use a dedicated GitHub account or token with least privilege, limit repository access, and confirm the active gh account before running autonomous workflows.
One bad instruction or generated change could affect multiple repositories and branches, increasing recovery effort.
Multi-repository autonomous changes can propagate a mistaken plan, generated bug, or unsafe dependency change across several codebases.
Autonomous builds, PRs, reviews, and merges across multiple repos... Manages multiple repos as one product.
Start with one non-production repo, require separate approvals per repository, and keep rollback plans and CI protections in place.
The reviewed skill file is not the same as reviewing the external OpenTangl code and its dependencies.
The skill directs the user to install external project code and npm dependencies manually; this is disclosed and not run automatically by the skill, but that upstream code was not included in the reviewed artifacts.
git clone https://github.com/8co/opentangl.git cd opentangl npm install
Inspect the upstream repository, package files, and lockfile before installing, and install in an isolated environment if possible.
Incorrect or manipulated project priorities could steer future generated changes in unwanted directions.
OpenTangl maintains persistent project context that can influence later autonomous development runs.
Current Priorities (maintained by OpenTangl after each run)
Review the product-vision and project configuration files before each run, especially after automated updates.