ClawHub

Spec Kit

v1.0.0

Use GitHub Spec Kit for Spec-Driven Development. Initialize projects, create specifications, and build software using the /speckit.* slash commands. Supports...

1· 435·3 current·3 all-time
byAung Myo Kyaw@aungmyokyaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Spec Kit for spec-driven development) aligns with the instructions (init, plan, build, commit). However the prereqs list the binary 'uv' while all examples use 'uvx', and 'python3' is declared but not referenced in the visible commands. These are small inconsistencies that could cause confusion or broken runs.
Instruction Scope
SKILL.md stays on-topic (creating specs, generating code, running tests, committing to git). It does instruct operations that modify local repos and files (creates .speckit/, writes files, runs tests, commits). That is expected for this tool, but it grants the agent authority to modify the working tree and invoke network-backed tooling via uvx.
!
Install Mechanism
There is no formal install spec, but the instructions call uvx with --from git+https://github.com/github/spec-kit.git which causes code to be downloaded and executed. The download host is GitHub (expected), but the skill does not declare or restrict this network/install behavior — instruction-only skills that direct fetching/execution are higher risk if the fetched code is unreviewed.
Credentials
The skill declares no required environment variables or credentials, which matches the metadata. However runtime behavior (git commits/pushes, using an AI agent like Claude/Copilot/Gemini) may implicitly use existing git credentials or external API keys the user has configured. Those credentials are not mentioned or scoped by the skill.
Persistence & Privilege
always is false and the skill is user-invocable (normal). Autonomous invocation is allowed (platform default) but there is no attempt to make the skill persistently enabled or to modify other skills' config.
What to consider before installing
What to consider before installing or using this skill: - The skill is mostly coherent for a Spec-Driven Development workflow, but double-check the tooling names: examples call 'uvx' while prereqs list 'uv'. Ensure you have the correct binary and version. - The instructions tell you to fetch and run code from GitHub via uvx. Treat this like running any third-party install: inspect the upstream repository (https://github.com/github/spec-kit) and review its install scripts before executing in a sensitive environment. - The tool will create files, run tests, and commit to the local git repo. Ensure you run it in a disposable or well-backed-up workspace if you don’t want unintended changes pushed. - The skill doesn’t request API keys, but using AI agents or pushing to remote git may use credentials already on your machine. Be aware of implicit credential use and confirm your credential helpers and remotes are configured as you expect. - If you want higher assurance, ask the publisher for: explicit install instructions (or a packaged release with checksums), clarification on 'uv' vs 'uvx', and a pointer to the exact release tag to be used instead of a generic git+https ref.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wz4jxr9zspn4xehan9akk5821dra

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsuv, python3, git

Comments