ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spec-Kit SDD

v1.0.0

GitHub Spec-Kit integration for Spec-Driven Development (SDD). Use when: (1) initializing a new Spec-Kit project, (2) creating/updating project constitution,...

0· 53·0 current·0 all-time
byJames W@james-code-hash
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes Spec-Kit integration and includes a specific feature for reassigning Paperclip issues, which matches the included speckit-reassign.sh script. However, the skill's metadata declares no required env vars or binaries while the script clearly depends on pnpm/paperclip CLI, curl, and access to a Paperclip API — a capability that should have been declared.
!
Instruction Scope
Runtime instructions and included script perform network calls (curl to PAPERCLIP_API_URL), attempt to run a project-local CLI (pnpm paperclipai) and access a filesystem workspace (default /home/openclaw/.openclaw/workspace/paperclip). SKILL.md does not document the PAPERCLIP_* env vars or the expected workspace layout, so the instructions implicitly require access to local agent workspace and secret API keys not made explicit.
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. SKILL.md instructs using 'uv tool install specify-cli' from the GitHub repo — an external install from a GitHub source (repo referenced). That is a plausible approach for this tool, but users should verify the referenced GitHub release and trustworthiness before running the installer.
!
Credentials
The skill metadata lists no required environment variables, yet the script reads PAPERCLIP_WORKSPACE_DIR, PAPERCLIP_API_BASE, PAPERCLIP_API_KEY, and PAPERCLIP_API_URL (and implicitly AGENT_CONFIG is mentioned in docs). These are sensitive (API keys, base URLs) and are necessary for the reassign functionality; their absence from declared requirements is a proportionality/visibility problem and could lead to accidental credential exposure if misused.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or global agent config. The script operates on a workspace and external API but does not request permanent presence or platform-wide configuration changes.
What to consider before installing
This skill mostly does what it says, but exercise caution: (1) The included reassign script expects PAPERCLIP_API_KEY, PAPERCLIP_API_URL (and may call a local workspace path) even though the skill metadata did not declare these — confirm what secrets and endpoints you must provide before installing. (2) Verify and review the referenced GitHub repo (github.com/github/spec-kit) and the specify-cli install command before running it. (3) If you don't use Paperclip or don't want an agent able to call your issue API, do not provide PAPERCLIP_API_KEY or run the reassign script. (4) Ask the publisher to explicitly list required env vars, explain the default workspace path, and document when the script will call external endpoints; consider running the script in a sandbox first. (5) If unsure, prefer manual review of the speckit-reassign.sh script and limit any API key scope before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780g9qq4h3s2zj2rf54pqp5183w05j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments