ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spec Flow

v0.1.0

Spec-driven development workflow. Interactive phase-by-phase confirmation from proposal to implementation. Trigger: 'spec-flow', 'spec mode', 'need a plan',...

0· 375·0 current·0 all-time
by青雲@echovic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Spec Flow, phase-by-phase spec authoring + implementation) matches the included files: SKILL.md, templates, references, and helper scripts for initializing and managing .spec-flow. There are no requested credentials, binaries, or config paths that are unrelated to authoring specs and managing the .spec-flow directory.
Instruction Scope
SKILL.md confines operations to the .spec-flow/ directory and mandates user confirmation at each phase. The runtime instructions explicitly read and write local files (proposal.md, requirements.md, design.md, tasks.md) and reference included reference docs. This is appropriate for the stated purpose, but the workflow includes an Implementation phase where the agent (when instructed by the user) may execute tasks; you should be aware that executing tasks could involve running tool calls or edits in your project repository when you tell the agent to do so (the skill enforces confirmation points and has a --fast option to bypass them only if explicitly requested).
Install Mechanism
No install spec (instruction-only) and included helper scripts are local shell/Python files. Nothing is pulled from external URLs or installed automatically. This is low-risk from an install/download perspective.
Credentials
The skill declares no required environment variables, credentials, or config paths. Some documentation (CONTRIBUTING.md) mentions an example env var (SPEC_FLOW_TEMPLATES) but neither SKILL.md nor the visible scripts require it; if you rely on environment-driven template overrides, inspect the code to confirm behavior. Overall, requested environment access is proportionate to the task.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent config in the reviewed files. It will create and modify a .spec-flow/ directory in the current project — that is expected and appropriate for its function.
Assessment
This skill appears coherent for creating and managing specification documents and guiding implementation in a repo. Before installing and running: 1) Review the full contents of scripts/validate-spec-flow.py (not shown here) to ensure it doesn't call external endpoints or read unexpected files; 2) Be mindful that the Implementation phase implies the agent may execute tasks in your project — only allow 'execute all' or batch modes when you trust the generated tasks and the agent's behavior; 3) The skill will create and write files under .spec-flow/ in whatever workspace you run it in—run it from the intended repository; 4) If you keep sensitive data in your repo, verify the scripts do not upload or leak files (no evidence was found in the visible scripts); 5) If you want tighter control, prefer Step mode (default) so the agent stops for your confirmation between tasks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c4psmarr4hsr84hv29ped7n81r0v9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments