Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Harness Factory — AI Engineering Team
v0.7.0Use when building features, fixing complex bugs, or doing major refactoring. Transforms your agent into a structured engineering team: Plan → Build (via ACP)...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to orchestrate a Harness Engineering workflow and the provided templates, builder/reviewer agent prompts and checklists align with that purpose. However, the SKILL.md assumes use of external tooling (claude CLI, ACP remote sessions, git worktrees) yet the registry metadata declares no required binaries or environment variables — a practical mismatch (not necessarily malicious) that could surprise users who don't have or don't want to use those tools.
Instruction Scope
The instructions explicitly require reading the codebase and creating worktrees and (optionally) spawning ACP builder sessions that instruct a remote agent to 'Read SPRINT.md' and implement code. That implies sending project context/files to an external agent/runtime when using Option B (ACP). The SKILL.md does not clearly warn users that remote sessions will access project files or identify what is transmitted, creating a risk of unintended code or secret exposure.
Install Mechanism
This is an instruction-only skill with no install spec and no code to execute locally from the skill bundle. That lowers direct install risk — the skill will only run whatever the agent/platform executes based on the instructions/templates.
Credentials
No environment variables or credentials are declared, which is consistent with an instruction-only template. However, the workflow depends on external runtimes (ACP/claude) which typically require credentials or network access; the omission of any mention of required tooling, auth, or where data may be sent is a proportionality/visibility gap that users should be aware of.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-level privileges. It doesn't modify other skills or system configs in the provided materials.
What to consider before installing
This skill is a cohesive set of templates and agent prompts for running a multi-stage engineering workflow. Before installing or using it: 1) Note that the SKILL.md recommends using a local 'claude' agent or an 'acp' remote session — both can read and act on your project files. If you choose the remote/ACP path, expect project files and SPRINT.md content to be sent to a remote agent; do not use it on repositories containing secrets or sensitive data unless you trust the remote execution environment. 2) The skill does not declare required binaries or credentials (claude CLI, git) — verify you have the intended tooling and understand any provider credentials used by ACP. 3) Constrain scope in SPRINT.md (explicit 'Can modify' and 'Must NOT touch' lists) and exclude sensitive files. 4) Prefer local-only Builder runs (Option A) if you want to avoid external transmission. 5) If you need higher assurance, ask the skill author to explicitly declare any external endpoints, required binaries, and how data is transmitted/retained by remote agents.Like a lobster shell, security has layers — review code before you run it.
latestvk97ed5rp3xttpf2t61s5at06h183zk4c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏭 Clawdis
OSmacOS · Linux