Openclaw Godmode Skill Repo
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a transparent documentation-only development orchestrator, but it gives agents broad runtime authority to edit code, run commands, and publish GitHub changes with limited approval guidance.
Install only if you are comfortable with a user-invoked agent editing project files, running shell/test/browser tools, and using GitHub credentials. Before using release or issue workflows, require explicit confirmation for tags, releases, PR merges, issue closure, CI/CD triggers, and pushes, and use scoped credentials in a trusted repository.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could ask for release preparation and have the agent publish repository changes or trigger CI/CD before they expected a final review step.
Publishing releases, creating tags, and triggering CI/CD are high-impact GitHub/repository actions. The workflow makes them part of the normal release path, but the artifacts do not clearly require a separate user confirmation for these mutations.
**Trigger:** `Prepare Release` ... **@github-manager** - Publish - Create git tag - Create GitHub release - Trigger CI/CD
Add explicit approval gates for GitHub release creation, tag creation, PR merge, issue close, CI/CD triggers, and any remote repository mutation; scope operations to the current repository and branch.
During use, the agent may run tests, build commands, shell commands, or tooling that can modify the local project environment.
The package itself does not execute code at install time, but it explicitly instructs runtime agents to execute commands and use network access.
security: install_time_executes_code: false runtime_agent_executes_code: true runtime_agent_network_access: true
Use it in repositories you trust, review planned commands before execution, and run with least-privileged local and GitHub accounts.
If broad credentials are available, the agent may be able to act on GitHub or MCP-connected services beyond the immediate task.
GitHub, Claude, and MCP credentials are expected for the documented integrations, but they grant delegated authority to the agent at runtime.
runtime_credentials:
optional:
- GH_TOKEN (for GitHub operations)
- Claude/Anthropic auth (if using Claude Code workflows)
- MCP server auth/config (if applicable)Use least-privilege GitHub tokens, restrict MCP server access, and avoid running the workflow with credentials that can affect unrelated repositories or organizations.
Stored decisions or research notes could influence later work, and incorrect or sensitive entries may be reused if memory is enabled.
The researcher agent is documented as using memory to store and reuse context across tasks, which is purpose-aligned but can persist or bias future decisions.
### Memory Usage - Store: Key decisions, no-go technologies, verified sources - Query: Before new research, check existing findings
Do not store secrets in agent memory, periodically review or clear memory entries, and treat remembered research as advisory rather than authoritative.