ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sdd Dev Workflow

v1.4.1

规范驱动开发工作流(SDD + Speckit + Claude Code)。用于复杂软件开发项目。⚠️ 必需环境变量: ZHIPU_API_KEY。可选: GITHUB_TOKEN, ANTHROPIC_API_KEY。当用户需要开发复杂应用、进行多迭代开发项目、使用 sessions_spawn 自动化开发时...

0· 489·1 current·1 all-time
by@mydearzsy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (SDD + Speckit + Claude Code) justifies needing LLM API keys (ZHIPU/Anthropic) and an optional GitHub token. However the registry metadata lists no required env vars/primary credential while the SKILL.md repeatedly states ZHIPU_API_KEY is required (and mentions ANTHROPIC_API_KEY, GITHUB_TOKEN). This mismatch between declared metadata and runtime instructions is an incoherence that could trick users into supplying sensitive keys unexpectedly.
!
Instruction Scope
Runtime instructions and included scripts go beyond simply orchestrating a coding workflow: they (a) drive tmux sessions running Claude Code with permissive modes (acceptEdits / bypassPermissions), (b) recommend and automate dependency installs without prompting (pip/apt/npm/curl|sh), (c) instruct editing ~/.openclaw/openclaw.json or using gateway.config.patch to grant subagent permissions, and (d) read agent session files under ~/.openclaw/agents and project workspace files. These behaviors are powerful and affect system agent configuration and local state — they are not limited to generating code and include actions that modify local agent configuration and install remote code.
Install Mechanism
There is no formal install spec (instruction-only), which lowers upfront risk, but the scripts and docs instruct the user to run network-installer commands at runtime (curl | sh to install 'uv', npx/coding-helper, npm installs, apt-get/pip installs). Those commands will fetch and execute remote code when the user runs the scripts, introducing moderate to high runtime install risk. The skill itself does not bundle binary installers, but it instructs fetching from third-party URLs.
!
Credentials
The SKILL.md requires ZHIPU_API_KEY (required) and optionally GITHUB_TOKEN and ANTHROPIC_API_KEY — reasonable for multi-LLM and GitHub integration. However the skill's registry metadata does not declare these required env vars, an important mismatch. Additionally, scripts access local OpenClaw configuration (~/.openclaw/openclaw.json, ~/.openclaw/agents/ sessions) and ~/.claude/settings.json — they read and potentially instruct edits to local agent/gateway config. That local config access is more privileged than simply needing an LLM API key and should be explicitly declared.
!
Persistence & Privilege
always:false (good) and autonomous invocation is allowed (normal), but the skill explicitly guides users to: enable sessions_spawn autonomous agents, patch gateway config to allow subagents, and use permission modes like bypassPermissions. Those instructions enable long-lived autonomous subagents and persistent sessions (cleanup: 'keep'), increasing blast radius. The skill also requires/encourages modifying OpenClaw agent configuration — a system-level change that grants broader privileges to subagents.
What to consider before installing
What to consider before installing/using this skill: - Metadata mismatch: The skill's SKILL.md says ZHIPU_API_KEY is required (and mentions ANTHROPIC_API_KEY, GITHUB_TOKEN) but the registry metadata did not declare required credentials. Treat any request for LLM API keys as sensitive — confirm why each key is needed before providing it. - Review scripts before running: The package includes multiple bash scripts (init, driver, monitor, auto-installer) that will create projects, start tmux sessions, run Claude Code, auto-install packages (pip/apt/npm), and read/modify local OpenClaw and Claude configuration files. Inspect sdd-driver.sh, claude-code-helper.sh, init-project.sh, and monitor-task.sh line-by-line to ensure behavior is acceptable. - Gateway/agent config edits are sensitive: The docs instruct editing ~/.openclaw/openclaw.json or calling gateway config.patch to allow subagents. That changes system agent permissions and should only be done in a controlled environment after understanding the consequences. - Automatic installs and 'bypass' modes: The workflow recommends automated pip/apt/npm installs without prompting and suggests permission modes like bypassPermissions. Do NOT run these on production hosts. Use an isolated VM/container sandbox for initial testing. - Least privilege: Provide only the credentials absolutely required and prefer read-only or limited-scope tokens (e.g., a repository-limited GitHub token) when possible. Consider creating dedicated, revocable API keys for testing. - If you plan to use autonomous sessions: expect persistent session artifacts under ~/.openclaw and possibly saved session logs; the skill encourages keeping sessions (cleanup: keep). Decide retention and access policies first. - What would change this assessment: If the registry metadata were corrected to explicitly declare required env vars and the SKILL.md removed or constrained instructions that modify gateway config or use bypassPermissions, the skill would be more coherent. Also providing transparency about exactly what sdd-driver.sh does (a complete script audit) would reduce risk. Practical next steps: audit the included scripts locally (don't run them yet), test in an isolated VM/container, and only then run check-environment and init scripts after confirming they won't change gateway config or auto-install unreviewed code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2kje404s85nkev399121bd82tp3z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments