gsd
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent project-automation skill, but it can spawn autonomous agents, run shell commands, edit files, and make git changes, so it should be reviewed before use.
Use this only in a repository where you are comfortable with automated edits, shell commands, and git commits. Start on a separate branch, review diffs before accepting changes, consider disabling automatic planning-doc commits, and avoid placing secrets in GSD planning/debug context.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A debugging run could change project files or run local commands before the user has reviewed each specific change.
The debug workflow gives a spawned debugging agent shell and edit capabilities and frames its goal as finding and fixing, with a completion path where a fix has already been applied.
allowed-tools: Read, Bash, Write, Edit ... <mode> goal: find_and_fix ... If `## DEBUG COMPLETE`: Display fix applied
Run this only in a clean branch or disposable workspace, and require explicit approval before any Bash/Edit action or before applying fixes.
Multiple agents may read, test, and write diagnostic artifacts at once, making it harder to predict or review the full set of actions.
The workflow intentionally launches multiple general-purpose subagents to investigate issues in parallel, which expands autonomous activity across the codebase.
Spawning parallel debug agents ... Each agent will ... Investigate autonomously ... Task(... subagent_type="general-purpose" ...)
Limit the number of parallel agents, keep their tool access scoped, and require a user checkpoint before moving from diagnosis to planning or fixes.
The skill can alter repository history and planning files as part of normal use.
Milestone completion includes local deletion of a planning file and git commit/tag operations. These are scoped to the planning workflow but still mutate the repository.
rm .planning/REQUIREMENTS.md ... git add .planning/ ... git commit -m "chore: archive v{version} milestone" ... git tag -a "v{version}"Use a branch, review diffs before committing, and confirm that deleting .planning/REQUIREMENTS.md is acceptable for the project.
Unexpected phase arguments could cause the workflow to operate on the wrong planning directory or produce confusing shell behavior.
User-provided phase input is interpolated into Bash snippets without robust validation. This appears scoped to phase selection, but malformed input could select unintended files or phases.
PADDED_PHASE=$(printf "%02d" ${PHASE} 2>/dev/null || echo "${PHASE}")Validate phase arguments against a strict numeric/decimal pattern and quote variable expansions in shell snippets.
Private project details, pasted errors, or sensitive ideas may become stored in the repo if captured in planning docs.
The workflow persists conversation-derived context into .planning files and commits them by default when commit_docs is true.
Capture idea or task as todo from current conversation context ... git commit -m "docs: capture todo - ${TITLE}"Review .planning contents before committing, set commit_docs to false for sensitive projects, and avoid pasting secrets into GSD conversations.
The design workflow may fail or depend on an unreviewed local file if one exists at that absolute path.
The workflow references a design-specialist subagent prompt, but the provided manifest does not include agents/design-specialist.md, leaving that subagent behavior unavailable for review.
@/usr/lib/node_modules/clawdbot/skills/gsd/agents/design-specialist.md
Package and review every referenced agent prompt, or remove the missing reference and keep subagent prompts within the supplied skill files.