Plan Eng Review
v1.0.0Eng manager-mode plan review. Lock in the execution plan — architecture, data flow, diagrams, edge cases, test coverage, performance. Walks through issues in...
⭐ 0· 125·1 current·1 all-time
by@loocor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (engineering plan review) matches the instructions: the SKILL.md contains explicit review steps, checklists, diagrams, and a 'Step 0' that inspects the repo/branch and design docs. The only minor mismatch: the skill does not declare required binaries yet its instructions expect common dev tools (git, gh, shell utilities). This is reasonable for the stated purpose but could be clearer in metadata.
Instruction Scope
Instructions focus on reviewing architecture/design and performing repo-local checks. They explicitly run/expect commands such as `gh pr view --json baseRefName`, `gh repo view`, `git rev-parse`, `ls`, and repo file reads for design docs; they ask the agent to present structured questions and recommend concrete options. There are no instructions to exfiltrate data to third-party endpoints or to read arbitrary system files outside the repository context.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes risk because nothing is downloaded or written to disk by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, which aligns with being instruction-only. However, the runtime steps call `gh` and `git` which commonly rely on local GitHub authentication (GH_TOKEN, ~/.config/gh) and repository access. The skill does not mention or restrict those implicit dependencies; users should be aware the agent will need repo access and that the host's GH credentials/config could be used by the commands.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The skill does not request persistent system presence or attempt to modify other skills or system-wide settings.
Assessment
This skill is instruction-only and appears coherent for reviewing engineering plans. Before installing or enabling it for autonomous use: 1) Know that it expects to run standard dev tooling (git, gh, shell) and will read files in the repository — ensure the agent is only granted access to repos you trust. 2) GitHub CLI (`gh`) may use local credentials or tokens; verify what account/permissions your environment provides to the agent (avoid giving it high-privilege tokens if not needed). 3) Because there's no install or external code, the risk is mainly about repository and credential access — limit scope, run in a sandbox or low-privilege account if possible, and confirm you are comfortable with the agent reading repository files and running git/gh commands. 4) If you want stricter guarantees, ask the publisher to declare required binaries and to explicitly note any implicit credential usage (e.g., uses gh which may rely on GH_TOKEN or interactive auth).Like a lobster shell, security has layers — review code before you run it.
latestvk97a48ngx5r43wjnjhcck8bwen83a28r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.