Brainstorming
Analysis
This is mostly a coherent planning skill, but review it carefully because its visual companion runs an unauthenticated browser/WebSocket server that can be exposed beyond localhost and can influence the agent’s recorded choices.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
You MUST use this before any creative work ... Do NOT invoke any implementation skill, write any code, scaffold any project, or take any implementation action until you have presented a design and the user has approved it.
The skill deliberately changes the agent’s workflow by requiring a design gate before implementation. This matches the stated brainstorming purpose, but it is broad and can override a user’s desire for quick direct changes.
Write design doc — save to `docs/superpowers/specs/YYYY-MM-DD-<topic>-design.md` and commit
The skill instructs the agent to mutate the project workspace and create a git commit. That is purpose-aligned for a spec workflow, but it affects repository state.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: 4 code file(s): scripts/helper.js, scripts/server.cjs, scripts/start-server.sh, scripts/stop-server.sh
The registry presentation under-declares the runnable helper scripts included with the skill. The helper code is visible in the artifacts and appears related to the visual companion, so this is a review note rather than evidence of hidden behavior.
nohup env BRAINSTORM_DIR="$SCREEN_DIR" ... node server.cjs > "$LOG_FILE" 2>&1 & ... disown "$SERVER_PID"
The visual companion can run as a detached background process. The artifacts disclose this and include shutdown/idle behavior, so it is bounded but still worth noticing.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
const HOST = process.env.BRAINSTORM_HOST || '127.0.0.1'; ... function handleUpgrade(req, socket) { const key = req.headers['sec-websocket-key']; if (!key) { socket.destroy(); return; } ... clients.add(socket); } ... fs.appendFileSync(eventsFile, JSON.stringify(event) + '\n');The companion server bind host is configurable and WebSocket clients are accepted with only the standard handshake key; shown code does not authenticate the browser/client before recording events as user choices. The companion guide also documents using non-loopback binding for remote/containerized setups.
Selections are recorded to a `.events` file that you read on your next turn. ... mockups persist in `.superpowers/brainstorm/` and survive server restarts.
The visual companion stores user interaction data and generated mockups for later agent use. This is central to the feature, but it creates local persistent context that should not be over-trusted or accidentally committed.