Superpowers-Openclaw
PassAudited by ClawScan on May 4, 2026.
Overview
Based on the provided artifacts, this is a benign instruction-only development workflow skill, but it deliberately constrains the agent and can guide git/PR actions that affect your repository.
Install this if you want a strict design-before-code and TDD workflow. Before using its branch-finishing steps, check git branch names, test results, PR contents, and any delete/discard actions carefully; also verify the complete package source because some file contents were not available in the supplied review context.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may refuse to start coding until it has completed the skill's design and approval process.
This intentionally changes the agent's task order and stopping conditions. It is disclosed and central to the design-before-code purpose, but users should expect the agent to pause for explicit approvals.
Do NOT write any code, scaffold any project, or take any implementation action until you have presented a design and the user has approved it.
Install this skill only if you want a strict design-first workflow; give explicit approval when you want the agent to proceed.
If used, the agent can make persistent changes to your git repository or create remote PR activity using your configured tools.
The finishing workflow can merge branches, push to a remote, create a PR, or delete a feature branch. The actions are purpose-aligned and the discard path requires exact confirmation, but they are still repository-affecting operations.
1. Merge back to <base-branch> locally 2. Push and create a Pull Request 3. Keep the branch as-is 4. Discard this work
Review the base branch, feature branch, test results, and chosen option before allowing merge, push, PR creation, or discard actions.
The agent may remove local implementation work if it believes the TDD process was not followed.
The TDD instructions tell the agent to discard implementation code that was written before a failing test. This appears aimed at the agent's own work and fits the methodology, but deletion should be scoped carefully.
Write code before the test? Delete it. Start over. ... Delete means delete
Require explicit confirmation before deleting existing, user-authored, or hard-to-recreate code; use git/worktrees so discarded work is recoverable.
The agent could create a PR under your configured GitHub account if you choose that completion option.
Creating a pull request through the GitHub CLI normally uses the locally configured GitHub identity. This is expected for a PR workflow, but users should know it may act through their account.
gh pr create --title "<title>" --body
Confirm the target repository, branch, title, and PR body before allowing PR creation, and ensure the intended GitHub account is active.
You may not be able to verify from the registry metadata alone that the installed package exactly matches the referenced repository.
The registry metadata does not attest a concrete source package even though it provides a homepage. No install script or code execution is shown, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: https://github.com/superpowers-open/superpowers-open
Verify the full package contents against the stated homepage or a trusted release before installing.