v0.6.1

SpecClaw

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

SpecClaw is coherent for automating software development, but it can run shell commands, spawn coding agents, read files into prompts, and automatically commit or merge code, so it needs careful review before use.

GuidanceInstall only in repositories you trust. Before running build or verify, review .specclaw/config.yaml, tasks.md file paths, and any GitHub or automation settings; disable auto_mode and github.sync unless needed, set auto_commit or merge behavior to require review, and approve shell commands and final diffs manually.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/build.sh

if ! eval "$test_command" >&2 2>&1; then ... if ! eval "$lint_command" ... if ! eval "$build_command"

The finalize step shell-evaluates command strings read from .specclaw/config.yaml, so configured test/lint/build values can execute arbitrary shell syntax.

User impactA malicious, mistaken, or repo-provided config command could run unintended local commands when the build finalizes.

RecommendationAvoid eval for configured commands; show the exact command to the user and require approval, or run only allowlisted commands.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/build-engine.md

sessions_spawn with context payload ... build.sh commit ... build.sh finalize ... For branch-per-change: checks out main/master, runs `git merge --no-ff`

The documented build flow chains spawned coding agents, git commits, and branch merging; the artifacts do not show a mandatory human approval step before merge.

User impactAgent-generated changes could be committed and merged into the main branch before a human reviews the final diff.

RecommendationDefault to staging only, require explicit user approval before commits and merges, and run verification before any merge to the main branch.

Rogue Agents

SeverityMediumConfidenceMediumStatusNote

references/workflow-examples.md

automation:
  auto_mode: true
  cron: "0 2 * * *" ... Agent wakes up ... Runs: specclaw build add-dark-mode ... Spawns agents

The documentation describes an optional autonomous cron-style mode that can start builds and spawn agents without the user being actively present.

User impactIf enabled, SpecClaw may make progress and modify project state on a schedule rather than only during an interactive session.

RecommendationKeep auto_mode disabled unless you intentionally want scheduled automation, and require approvals for build, commit, sync, and merge actions.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

file manifest

No install spec — this is an instruction-only skill. ... 13 code file(s): scripts/build-context.sh ... scripts/build.sh ... scripts/gh-sync.sh

The package is presented as instruction-only but includes bundled shell scripts that are central to the workflow.

User impactUsers may not realize local scripts and git operations are part of normal use even though no install requirements are declared.

RecommendationInspect bundled scripts before use and ensure required local tools such as bash, git, and any GitHub CLI dependency are expected in the target project.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

GitHub sync (if `github.sync` is true): Run `bash skill/scripts/gh-sync.sh create .specclaw <change>` to create a GitHub Issue

When enabled, the skill can create or update GitHub issues using the user's GitHub environment or CLI identity.

User impactThe skill may post project details or task checklists to GitHub and mutate repository issue state.

RecommendationEnable GitHub sync only for intended repositories, review what will be posted, and use least-privilege GitHub credentials.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

scripts/build-context.sh

# Build context payload for a specific task — feeds the coding agent ... local full_path="$PROJECT_ROOT/$file" ... output+="$(cat "$full_path")"

The script reads file paths from task metadata and copies their contents into a coding-agent prompt, with no visible path containment or secret-file exclusion in this script.

User impactIf a task file list includes an unexpected path such as a parent-directory reference, sensitive local files could be read into a spawned agent's context.

RecommendationResolve real paths and enforce that task files stay inside the repository, reject '..' and absolute paths, and exclude secrets or credential files before spawning agents.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

patterns.md          # Recurring pattern registry (cross-change) ... errors.md ... learnings.md

SpecClaw stores cross-change patterns, errors, and learnings that can later influence generated prompts and agent behavior.

User impactIncorrect or malicious content in .specclaw files could persist and shape future planning or build behavior.

RecommendationReview .specclaw/patterns.md, learnings.md, errors.md, specs, and tasks before letting agents reuse them across changes.