gsd-by-glittercowboy
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a coherent project-planning and execution skill, but it can run commands, change your repository, spawn helper agents, and save project context.
Before installing, understand that GSD is meant to actively manage and execute work in your repository. Run it only in projects where you are comfortable with local file changes, git commits/tags, persistent .planning notes, and subagent access to project context. Keep secrets out of prompts and planning files, review diffs before accepting changes, and use simple numeric phase arguments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A debug run may inspect and change project files, so mistakes could affect your working tree.
The debugging workflow can use Bash and file-editing tools and may attempt fixes. This is aligned with a debugging skill, but it gives the agent real local mutation authority.
allowed-tools: - Read - Bash - Write - Edit ... <mode> goal: find_and_fix </mode>
Use the skill in a version-controlled project, review diffs before accepting changes, and prefer a clean working tree before running fix-oriented workflows.
Malformed phase input could make the workflow read or write the wrong planning path or fail unexpectedly.
A user-supplied phase value is inserted into a shell command without strict numeric validation or quoting. This is not proof of malicious behavior, but it can make the workflow fragile.
PADDED_PHASE=$(printf "%02d" ${PHASE} 2>/dev/null || echo "${PHASE}")Use simple numeric phase arguments. The maintainer should validate phase IDs and quote shell variables consistently.
Private project details, ideas, or copied conversation content may be saved in the repository and potentially committed.
The workflow intentionally saves conversation-derived context into persistent project files, and later workflows can reuse those files.
Capture an idea, task, or issue that surfaces during a GSD session as a structured todo for later work.
...
Write to `.planning/todos/pending/${date_prefix}-${slug}.md`Do not include secrets in GSD discussions or todos, and review .planning files before committing or sharing the repository.
Project context may be copied into multiple helper-agent sessions during diagnosis.
The workflow passes UAT gap details and project context to parallel general-purpose subagents. This is central to the skill design, but the artifacts do not define strong data-boundary controls for those subagents.
Task(
prompt=filled_debug_subagent_prompt,
subagent_type="general-purpose",
description="Debug: {truth_short}"
)Use only in trusted agent environments, and avoid running parallel diagnosis on repositories or issues containing sensitive secrets.
The design workflow may fail or rely on a prompt that was not included in the reviewed artifact set.
The workflow references a design-specialist agent prompt, but that file is not listed in the provided manifest. This appears more like an incomplete packaging/provenance issue than malicious behavior.
@/usr/lib/node_modules/clawdbot/skills/gsd/agents/design-specialist.md
Verify the installed package contains the referenced design-specialist file before using the design mockup workflow.