OpenSpec Workflow
Security checks across malware telemetry and agentic risk
Overview
This skill is openly aimed at autonomous code changes and PR shipping, but it delegates work to Claude Code with permission checks disabled and includes privileged GitHub automation, so users should review it carefully before use.
Use this only in repositories where you are comfortable allowing an agent to make code changes. Prefer a disposable branch or worktree, avoid disabling permission prompts unless necessary, review commits before pushing, pin the CLI version used by the GitHub Action, and consider removing the automatic branch-deletion step.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Claude Code could make broad repository changes and commits without the normal permission prompts or a clear user approval checkpoint before mutation.
The workflow asks the agent to run an external coding agent in the repository with permission checks disabled, in the background, and with authority to modify files and commit changes.
Launch Claude Code in the repo (or worktree) with PTY and `--dangerously-skip-permissions` ... `background:true command:"claude --dangerously-skip-permissions -p 'Implement these tasks ... Mark tasks complete as you go. Commit when done.`
Run only in a disposable branch or worktree, avoid `--dangerously-skip-permissions` where possible, and require explicit user review before commits, pushes, and PR creation.
Using this skill with an authenticated `gh` session lets the agent act on GitHub repositories within that credential’s permissions.
The skill requires an authenticated GitHub CLI session so it can push branches and create PRs, which is expected for its purpose but gives the workflow delegated repository authority.
`gh` CLI authenticated with repo access
Use least-privilege GitHub credentials, confirm the target repository and branch before running shipping steps, and review any PR before merge.
A future or compromised npm package version could run inside CI with repository write permissions and affect generated archive PRs or repository contents.
The suggested GitHub Action grants write permissions and installs the latest OpenSpec CLI from npm at runtime without pinning a package version or lockfile.
permissions: contents: write pull-requests: write ... - name: Install OpenSpec CLI run: npm install -g @fission-ai/openspec
Pin the OpenSpec CLI to a reviewed version, consider using a lockfile or verified package source, and keep GitHub Actions permissions as narrow as possible.
A merge-triggered automation could remove a branch unexpectedly, especially if branch naming or repository ownership assumptions are wrong.
The proposed workflow automatically deletes a branch after a merged PR based on the PR head ref, without an explicit confirmation step or same-repository ownership check.
- name: Clean up merged branch
if: steps.extract.outputs.skip == 'false'
...
BRANCH="${{ github.event.pull_request.head.ref }}"
git push origin --delete "$BRANCH" 2>/dev/null || echo "Branch already deleted or protected"Disable automatic branch deletion by default, or add checks that the PR branch belongs to the same repository and is safe to delete.
A background review or implementation session may continue acting in the repository while the user is not actively watching it.
The review protocol recommends spawning background Claude Code sessions with broad repository access. This is disclosed and aligned with the workflow, but users should understand that a background agent will keep running until completion or termination.
exec pty:true workdir:<repo-path> background:true command:"claude --dangerously-skip-permissions -p 'You are a skeptical spec reviewer...'
Monitor background sessions, set timeouts, and terminate any session that is no longer needed or behaves unexpectedly.