ClawHub

LightSpec

v0.6.0

AI-native spec-driven development tool. Create, manage, and apply specifications with your agent.

1· 75·0 current·0 all-time
byMarco Leong@marcoleongdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (spec-driven CLI) align with the instructions: the doc instructs installing a Node.js-based CLI via npm and running lightspec commands. Required capabilities are limited to Node/npm and reading project files (e.g., .lightspec/config.json, AGENTS.md), which are appropriate for this purpose.
Instruction Scope
SKILL.md tells the agent to install the CLI, verify it, run commands (init, change, validate, apply, etc.), and read project files. It does not instruct reading unrelated system files, harvesting env vars, or exfiltrating data. It explicitly advises confirming with the user before running file-changing commands, which is appropriate.
Install Mechanism
This is an instruction-only skill (no install spec). It recommends 'npm install -g lightspec' which is a standard install path for a CLI but involves pulling code from the npm registry and may execute package install scripts and require elevated privileges on some systems. That is expected for a CLI but is a moderate operational risk to be aware of.
Credentials
The skill requests no environment variables or external credentials. It does reference local configuration (.lightspec/config.json) and project files (lightspec/changes/...), which is proportional to a project-scoped CLI tool.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The skill does not request persistent or cross-skill configuration changes in its instructions and does not ask to modify other skills or system-wide agent settings.
Assessment
This skill appears coherent for managing a Node-based CLI. Before installing or allowing the agent to run commands: 1) Verify the npm package and GitHub repository (publisher, recent commits, reputation). 2) Prefer non-global installs (npx or local project install) or run in a sandbox/container if you want to avoid global changes and privilege elevation. 3) Be cautious because 'npm install -g' can run install scripts from the package — inspect the package or its source before installing. 4) Require explicit user confirmation before the agent runs commands that change files (init, apply, uninstall). 5) If you want higher assurance, ask the agent to show the exact commands it will run and to display the lightspec package source or installation log before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxpajx5hr676ctsjk2zy97n83jghv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments