Superpowers-Openclaw
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: superpowers-openclaw Version: 1.0.0 The bundle is a comprehensive port of the 'Superpowers' software development methodology to the OpenClaw platform, focusing on TDD, systematic debugging, and design-first workflows. While it utilizes authoritative markdown instructions and 'persuasion principles' (documented in persuasion-principles.md) to enforce discipline on the AI agent, these techniques are used to ensure adherence to the stated development process rather than for malicious purposes. The instructions explicitly state that user commands take precedence, and no evidence of data exfiltration, malicious execution, or unauthorized persistence was found across the files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may refuse to start coding until it has completed the skill's design and approval process.
This intentionally changes the agent's task order and stopping conditions. It is disclosed and central to the design-before-code purpose, but users should expect the agent to pause for explicit approvals.
Do NOT write any code, scaffold any project, or take any implementation action until you have presented a design and the user has approved it.
Install this skill only if you want a strict design-first workflow; give explicit approval when you want the agent to proceed.
If used, the agent can make persistent changes to your git repository or create remote PR activity using your configured tools.
The finishing workflow can merge branches, push to a remote, create a PR, or delete a feature branch. The actions are purpose-aligned and the discard path requires exact confirmation, but they are still repository-affecting operations.
1. Merge back to <base-branch> locally 2. Push and create a Pull Request 3. Keep the branch as-is 4. Discard this work
Review the base branch, feature branch, test results, and chosen option before allowing merge, push, PR creation, or discard actions.
The agent may remove local implementation work if it believes the TDD process was not followed.
The TDD instructions tell the agent to discard implementation code that was written before a failing test. This appears aimed at the agent's own work and fits the methodology, but deletion should be scoped carefully.
Write code before the test? Delete it. Start over. ... Delete means delete
Require explicit confirmation before deleting existing, user-authored, or hard-to-recreate code; use git/worktrees so discarded work is recoverable.
The agent could create a PR under your configured GitHub account if you choose that completion option.
Creating a pull request through the GitHub CLI normally uses the locally configured GitHub identity. This is expected for a PR workflow, but users should know it may act through their account.
gh pr create --title "<title>" --body
Confirm the target repository, branch, title, and PR body before allowing PR creation, and ensure the intended GitHub account is active.
You may not be able to verify from the registry metadata alone that the installed package exactly matches the referenced repository.
The registry metadata does not attest a concrete source package even though it provides a homepage. No install script or code execution is shown, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: https://github.com/superpowers-open/superpowers-open
Verify the full package contents against the stated homepage or a trusted release before installing.