gsd
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: glittercowboy Version: 1.0.0 The OpenClaw AgentSkills skill bundle "glittercowboy" (GSD - Get Shit Done) is designed to provide a comprehensive project planning and execution workflow for AI agents. It leverages a modular architecture with orchestrator workflows and specialized sub-agents. **Analysis:** The skill bundle extensively uses powerful tools such as `Bash`, `Read`, `Write`, `Edit`, `Grep`, `Glob`, `WebSearch`, and `WebFetch`. These tools grant the AI agent significant capabilities to interact with the host system, including: * **File System Access:** Reading, writing, and editing arbitrary files (`Read`, `Write`, `Edit`). * **Command Execution:** Running arbitrary shell commands (`Bash`). * **Network Access:** Performing web searches and fetching content from URLs (`WebSearch`, `WebFetch`). * **Git Operations:** Initializing repositories, adding, committing, and tagging files (`Bash` for `git` commands). However, the documentation and agent instructions consistently frame these capabilities within the legitimate scope of software development: * **Codebase Analysis:** Agents like `gsd-codebase-mapper` use `grep` and `find` to analyze project structure, dependencies, and identify issues. * **Code Generation and Modification:** Agents like `gsd-executor` and `gsd-debugger` are explicitly tasked with writing, editing, and committing code to implement features or fix bugs. * **Research:** Agents like `gsd-project-researcher` and `gsd-phase-researcher
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A debugging run could change project files or run local commands before the user has reviewed each specific change.
The debug workflow gives a spawned debugging agent shell and edit capabilities and frames its goal as finding and fixing, with a completion path where a fix has already been applied.
allowed-tools: Read, Bash, Write, Edit ... <mode> goal: find_and_fix ... If `## DEBUG COMPLETE`: Display fix applied
Run this only in a clean branch or disposable workspace, and require explicit approval before any Bash/Edit action or before applying fixes.
Multiple agents may read, test, and write diagnostic artifacts at once, making it harder to predict or review the full set of actions.
The workflow intentionally launches multiple general-purpose subagents to investigate issues in parallel, which expands autonomous activity across the codebase.
Spawning parallel debug agents ... Each agent will ... Investigate autonomously ... Task(... subagent_type="general-purpose" ...)
Limit the number of parallel agents, keep their tool access scoped, and require a user checkpoint before moving from diagnosis to planning or fixes.
The skill can alter repository history and planning files as part of normal use.
Milestone completion includes local deletion of a planning file and git commit/tag operations. These are scoped to the planning workflow but still mutate the repository.
rm .planning/REQUIREMENTS.md ... git add .planning/ ... git commit -m "chore: archive v{version} milestone" ... git tag -a "v{version}"Use a branch, review diffs before committing, and confirm that deleting .planning/REQUIREMENTS.md is acceptable for the project.
Unexpected phase arguments could cause the workflow to operate on the wrong planning directory or produce confusing shell behavior.
User-provided phase input is interpolated into Bash snippets without robust validation. This appears scoped to phase selection, but malformed input could select unintended files or phases.
PADDED_PHASE=$(printf "%02d" ${PHASE} 2>/dev/null || echo "${PHASE}")Validate phase arguments against a strict numeric/decimal pattern and quote variable expansions in shell snippets.
Private project details, pasted errors, or sensitive ideas may become stored in the repo if captured in planning docs.
The workflow persists conversation-derived context into .planning files and commits them by default when commit_docs is true.
Capture idea or task as todo from current conversation context ... git commit -m "docs: capture todo - ${TITLE}"Review .planning contents before committing, set commit_docs to false for sensitive projects, and avoid pasting secrets into GSD conversations.
The design workflow may fail or depend on an unreviewed local file if one exists at that absolute path.
The workflow references a design-specialist subagent prompt, but the provided manifest does not include agents/design-specialist.md, leaving that subagent behavior unavailable for review.
@/usr/lib/node_modules/clawdbot/skills/gsd/agents/design-specialist.md
Package and review every referenced agent prompt, or remove the missing reference and keep subagent prompts within the supplied skill files.