OpenSpec Workflow
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a plausible OpenSpec development workflow, but it tells the agent to run Claude Code in the background with permission checks disabled and repo/GitHub write authority.
Use this only in a controlled repo branch or worktree. Do not run it on sensitive repositories without removing secrets, least-privilege GitHub credentials, pinning CI dependencies, and replacing `--dangerously-skip-permissions` with an approval-based workflow.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A delegated tool could make broad code changes and commits in your repository before you review each action.
The skill instructs the agent to launch Claude Code in the background with permission checks disabled, allowing it to edit the repository and create commits without normal interactive safeguards.
exec pty:true workdir:<repo-path> background:true command:"claude --dangerously-skip-permissions -p 'Implement these tasks ... Mark tasks complete as you go. Commit when done.
Remove `--dangerously-skip-permissions`, run in an isolated worktree or branch, and require explicit user approval before file writes, commits, pushes, or PR creation.
The workflow may act using your GitHub identity or available repository permissions.
Authenticated GitHub access is expected for opening PRs, but it gives the workflow authority over the user's repository and is not reflected in the registry credential fields.
- `gh` CLI authenticated with repo access
Use least-privilege GitHub credentials, review the target branch and repository before running, and ensure the skill metadata declares required authenticated tools.
Repository contents may be exposed to Claude Code or reviewer subagents during review and implementation.
The review protocol intentionally gives another agent broad repository visibility, which may include private source code, configuration, or accidentally committed secrets.
Claude Code can read any file in the repo, run grep, check git history, and verify assumptions
Run only on repositories you are comfortable sharing with the delegated agent, remove secrets from the repo, and limit access to a scoped worktree when possible.
A later upstream package change could change what the archive workflow does in CI.
The suggested CI workflow installs the latest global OpenSpec CLI from npm rather than a pinned version, so future package changes could affect automated repository behavior.
run: npm install -g @fission-ai/openspec
Pin the OpenSpec CLI version in CI and review dependency provenance before enabling the workflow.
After installation, merges can automatically create archive PRs and attempt branch cleanup.
The optional GitHub Action automates follow-up repository changes after merges; it is disclosed and scoped to OpenSpec archiving, but mistakes in PR metadata could propagate into CI-created changes.
Triggers when a PR is merged to main ... Runs `openspec archive --yes` ... Opens a PR ... Deletes the original merged branch
Review the workflow before adding it, verify PR bodies use the correct change name, and consider requiring manual approval for archive PRs or branch deletion.