Senior Dev
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward development workflow skill, but it can guide an agent to stage code, create PRs/issues, check deployments, and write tracking files, so users should review those actions before use.
This skill appears benign and purpose-aligned for development work. Before using it, make sure the repository is the right one, inspect staged diffs, confirm PR/issue text before submission, and verify that the referenced CLIs are trusted and logged into the correct accounts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could stage unintended local changes or create external PRs/issues under the user's authenticated developer accounts.
The skill instructs the agent to stage all repository changes and create or update PRs/issues. This is aligned with the stated development workflow, but these commands can publish or alter project state if run without user review.
git add -A git diff --staged # Verify changes match request ... gt submit ... gh issue create --title "Bug: description" --body "Details..."
Review staged diffs and PR/issue content before allowing submission, especially in shared or production repositories.
Actions may be performed with the user's repository, issue-tracker, or deployment privileges.
These CLIs typically operate using the user's existing authenticated Graphite, GitHub, and Vercel sessions. The access is expected for the workflow, and the artifacts do not show credential logging or unrelated credential use.
- `gt` — [Graphite CLI](https://graphite.dev) for stacked PRs - `gh` — [GitHub CLI](https://cli.github.com) for issues - `vl` — Vercel deploy watcher (or `vercel` CLI)
Use this only in repositories and accounts where the agent is allowed to create branches, PRs, issues, and deployment checks.
If an untrusted or unexpected `vl` command is on the user's PATH, the agent could run that local tool during deployment checks.
The workflow references an external deploy-watcher command, but the supplied artifacts include no install spec or implementation for it. This is not suspicious by itself, but users should verify the provenance of any local command the skill asks them to run.
`vl` — Vercel deploy watcher (or `vercel` CLI)
Confirm that `gt`, `gh`, `vl`, or `vercel` resolve to trusted installed tools before using the workflow.
Project notes, plans, and changelogs may retain task context longer than the current chat and could be read in later development sessions.
The skill deliberately stores task context in project files so future work can reuse it. This is purpose-aligned, but those files may persist project details or influence later agent behavior.
A 12-step production workflow that keeps context across compaction. ... - **TODO.md** — Active task tracking (survives context compaction) - **CHANGELOG.md** — Version history - **PLAN.md** — Architecture decisions (optional)
Avoid putting secrets or sensitive internal details in TODO.md, CHANGELOG.md, or PLAN.md unless they belong in the repository.