GSD Orchestrator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for its stated purpose, but it delegates broad headless development work to an external CLI that can auto-run tasks, auto-answer prompts, and receive secrets.
Install only if you intentionally want an agent to run GSD as a powerful headless project orchestrator. Use a separate branch or sandbox, prefer step-by-step `next` runs, review diffs and `.gsd/` state, and provide only limited temporary secrets.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could run substantial development work, modify project state, or continue through queued tasks without the user reviewing each step.
The skill encourages invoking a subprocess that can run all queued development units automatically, including the end-to-end `--auto` milestone workflow.
Default command is `auto` (run all queued units). ... `gsd headless --output-format json new-milestone --context spec.md --auto`
Prefer `gsd headless next` for one-step-at-a-time control, review `gsd headless query` output between steps, and require explicit user approval before `auto`, `--auto`, forced dispatch, or rollback commands.
Prompts that normally ask for confirmation or choices may be answered automatically, which could allow unintended actions to proceed.
The documented headless behavior can automatically answer prompts and confirmations, reducing human approval around potentially impactful workflow decisions.
Headless mode has built-in auto-responders for all prompt types: ... Confirm | Auto-confirms ... Select | Picks first option
Use supervised mode or an explicit answers file for known questions, and avoid relying on default auto-confirm behavior for sensitive projects.
API keys, database URLs, or other credentials placed in an answers file may become available to the GSD subprocess and any tools it runs.
The skill documents arbitrary secret injection into a child process, but the registry metadata declares no required credentials or environment variables and the artifacts do not bound which secrets are appropriate.
"secrets": { "API_KEY": "sk-...", "DATABASE_URL": "postgres://..." } ... Secrets are injected as environment variables into the GSD child processOnly provide narrowly scoped, temporary credentials; avoid production secrets; delete answer files after use; and run the workflow in an isolated project environment.
The main behavior depends on the external `gsd-pi` package rather than code included with this skill.
The skill depends on installing and trusting an external global npm package, while the submitted artifacts contain no implementation code to review.
npm install -g gsd-pi
Verify the package publisher and version before installing, consider pinning a known-good version, and run it in a sandbox or disposable development environment first.
Incorrect or malicious project knowledge could influence later development runs if it is stored and trusted.
The GSD workflow can store persistent project knowledge that may be reused in future sessions.
`knowledge <rule|pattern|lesson>` ... Add persistent project knowledge.
Periodically review GSD project knowledge and `.gsd/` state, and avoid storing secrets or untrusted instructions there.
A bad spec, wrong answer, or mistaken auto-run could lead to multiple file changes or commits before the user notices.
The subprocess can create or modify project artifacts and produce commits, so an erroneous autonomous run could propagate changes across the codebase.
`artifacts` | Paths to artifacts created or modified during the session. ... `commits` | Git commit SHAs created during the session.
Run in a clean git branch, inspect diffs after each step, and avoid full auto-mode on repositories where unintended changes would be costly.