ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

spec驱动开发vibe coding skill

v1.0.1

在克隆的 Git 仓库中驱动完整的规格驱动开发生命周期(init→requirements→architecture→process_design→project_plan→coding→test→bugfix→code_review→release)。阶段门控、产物强制输出、多语言支持,内置 commit me...

1· 71·0 current·0 all-time
by胡实@listenbehind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requiring git and a Git PAT (SPEC_DEV_GIT_TOKEN) is coherent with a skill that clones, commits, tags, and pushes a repository. Optional username/email env vars are reasonable. No unrelated cloud credentials or unexpected binaries are requested.
!
Instruction Scope
SKILL.md instructs reading and writing many repo files, committing WIP, tagging, optionally pushing checkpoint tags, and dynamically loading other SKILL.md files from auxiliary/skills/* — expected for orchestration but dangerous because: (1) it reads environment variables not declared (OPENCODE_SESSION_ID, CLAUDE_SESSION_ID, AGENT_SESSION_ID) for Session ID capture; (2) it promises tokens are never written to artifacts/logs yet the checkpoint/save/clone flow describes using credential helper and constructing authenticated HTTPS URLs which commonly write tokens into ~/.git-credentials or remote URLs; (3) progressive loading of SKILL.md files from the repo means the skill will execute instructions whose content is governed by repository contents (dynamic behavior). The SKILL.md also contained unicode-control-chars flagged as potential prompt-injection, which could attempt to influence model parsing.
Install Mechanism
Install spec only suggests installing git via brew (formula: git). That's a standard, low-risk package source and matches the declared binary requirement. No arbitrary downloads or extracts are present.
!
Credentials
The single required secret SPEC_DEV_GIT_TOKEN is proportionate to operations that push/tags a remote; it is declared as primaryEnv. However, the instructions read additional environment variables (OPENCODE_SESSION_ID, CLAUDE_SESSION_ID, AGENT_SESSION_ID) that are not declared in requires.env. More importantly, the skill's operational steps imply writing credentials to ~/.git-credentials or embedding tokens in remote URLs — this conflicts with the SKILL.md's 'never write token to artifacts/logs' claim and risks token exposure via filesystem, git config, or remote URLs. The skill does not request unrelated credentials, but its handling of the token is underspecified and risky.
!
Persistence & Privilege
always:false and normal autonomous invocation are appropriate. However, the skill explicitly writes commits, tags, checkpoint documents into the repository and may write to the user's home (~/.git-credentials). Writing credentials to a home file is system-level persistence beyond the skill's own ephemeral state and increases blast radius if the token is mishandled. The skill does not request to modify other skills' configs, but dynamic loading of SKILL.md files from the repository elevates runtime scope.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged by the pre-scan. This can be used for prompt-injection or to obfuscate instructions; it is not necessary for a spec-driven development workflow and should be reviewed manually.
What to consider before installing
This skill largely does what it says — orchestrates a spec-driven lifecycle inside a cloned Git repo — and requiring git plus a Git token is expected. However, there are three things to watch before installing or running it: 1) Token handling: The skill requires SPEC_DEV_GIT_TOKEN and claims it will not be written to artifacts/logs, yet its described flow constructs authenticated HTTPS URLs and uses the git credential helper (mentions ~/.git-credentials) and may push tags upstream. These steps commonly write tokens to disk or leave them in git metadata. Only supply a token with the minimum rights needed (preferably a token limited to the target repo and only to the required scopes). Consider using a short-lived token and be prepared to revoke it after use. 2) Undeclared environment variables & session capture: The SKILL.md reads OPENCODE_SESSION_ID, CLAUDE_SESSION_ID, and AGENT_SESSION_ID (not declared in requires.env). If your environment populates these, they may be written into checkpoint metadata. Verify whether you want these session IDs captured and stored in repo files. 3) Dynamic instruction loading & prompt-injection artifacts: The orchestrator will read auxiliary/skills/available_skills.xml and load SKILL.md files from the repository on-demand. That means repo contents can change the skill's behavior at runtime. Also, the pre-scan found unicode control characters — review the SKILL.md and any auxiliary SKILL.md files in the repo for obfuscated or malicious instructions before running. Practical mitigations: - Run the skill in a sandboxed environment or throwaway runner with access only to the intended repo. Do not run it with broad filesystem or network privileges. - Provide a least-privilege PAT scoped to only the target repo and the minimal push/tag scopes; prefer short-lived tokens and rotate/revoke after use. - Inspect and (if possible) lock the auxiliary/skills/* files in the repo so their contents are reviewed and trusted before allowing the orchestration to load them. - Check ~/.git-credentials and git remote URLs after first run; prefer credential helpers that avoid persistent plaintext storage (credential cache or OS native helpers) or adjust the workflow to avoid writing token into files. - If you require stronger assurance, request a code-based implementation (not instruction-only) so you can review exact commands executed, or run the skill step-by-step with manual confirmation for commits/pushes. If you want, I can: (a) list the exact places the SKILL.md writes or could write secrets, (b) suggest a minimal PAT scope to use safely, or (c) point out exact lines in the SKILL.md that should be changed to avoid writing tokens to disk.

Like a lobster shell, security has layers — review code before you run it.

latestvk975jfkmpw0zgzg0f1qsz8mpf583nrp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛠️ Clawdis
Binsgit
EnvSPEC_DEV_GIT_TOKEN
Primary envSPEC_DEV_GIT_TOKEN

Install

安装 git(brew)
Bins: git
brew install git

Comments