Spec Workflow Mcp
v1.0.0Serve spec-driven dev tools via MCP for AI-assisted workflows. Use when adding tasks, planning iterations, tracking completion, reviewing quality.
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the observed behavior. The SKILL.md documents a local CLI that appends timestamped lines to per-command log files; scripts/script.sh implements the listed commands and data layout under ~/.local/share/spec-workflow-mcp. Nothing requested by the skill (no env vars, no binaries, no network) appears out of scope for a local spec/task logger.
Instruction Scope
Runtime instructions and the script are narrowly scoped to reading/writing plain-text log files under the DATA_DIR and invoking standard coreutils (date, tail, grep, wc, du). There are no network calls or attempts to read unrelated system config. Note: export routines write raw values into CSV/JSON/TXT without sanitization; exported CSV/JSON may contain unsanitized content and could lead to CSV injection when opened in spreadsheet software or produce invalid JSON if values contain unescaped quotes/newlines.
Install Mechanism
No install spec is present (instruction-only skill) and the only code is a single shell script included in the package. No downloads, third-party package installs, or archive extraction are performed by the skill itself—low install risk.
Credentials
The skill requires no credentials or special environment variables. It uses an optional DATA_DIR environment variable (default: $HOME/.local/share/spec-workflow-mcp) which is reasonable for a local CLI. Users should be aware that logs are stored in plaintext in the file system; do not record secrets or sensitive data in entries unless you move DATA_DIR to a secure location.
Persistence & Privilege
always:false and the skill writes only to its own data directory in the user's home. It does not request elevated privileges or modify other skills or system-wide settings. Autonomous invocation is allowed (default) but is not combined with broad credential access or privileged actions.
Assessment
This skill appears to be a simple local CLI logger and is coherent with its description. Before installing: (1) review scripts/script.sh yourself (it will run on your system); (2) be aware it creates and writes plaintext logs at ~/.local/share/spec-workflow-mcp by default — avoid entering passwords or secrets into entries; (3) if you export data, exported CSV/JSON are not sanitized (CSV may expose CSV-injection risks when opened in spreadsheet apps and JSON may be malformed if entries contain unescaped quotes/newlines); (4) you can change DATA_DIR to a different folder if you prefer to keep data elsewhere.Like a lobster shell, security has layers — review code before you run it.
latestvk9715w5rxjtkncxebvks9pmvyh83993b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.