Fully Automated Collaborative Code Development Pipeline
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill appears safe for its stated purpose as an automated code-development assistant. Install it only if you are comfortable with a hands-off workflow that spawns sub-agents and creates project files; use a separate workspace and avoid putting secrets in prompts or source files. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may proceed through the whole development pipeline without pausing to confirm intermediate choices.
The skill changes the agent’s interaction pattern by suppressing mid-process confirmations. This is disclosed and central to the workflow, but users should understand the automation level.
Fully automated advancement; do not ask the user for confirmation. Report a progress summary after each phase is completed.
Use it when you want hands-off code generation; if you need checkpoints, explicitly ask the agent to confirm before writing or changing files.
Generated files may be created in the workspace and could conflict with existing project files if names overlap.
The workflow authorizes file creation for generated code and documentation. This is expected for a development pipeline and scoped to a project directory, but it can still affect local workspace contents.
Each phase's output is written into the `{workspace}/<project-name>/` directory. All code files are organized under this directory.Run it in a new or clearly named project directory, and request overwrite confirmation if working inside an existing project.
Any code, requirements, or project details provided to the workflow may be shared across its sub-agent prompts.
The skill passes project context, generated code, and reports between spawned sub-agents. This is required for the stated multi-agent workflow, and the artifacts specify one-shot execution and cleanup.
Each phase's sub-agent receives the complete output of the previous phase... All sub-agents are invoked using `sessions_spawn`
Avoid including secrets in requirements or code input, and review generated artifacts before using them in sensitive projects.
Hidden or unusual characters could obscure what a skill says, although no harmful hidden instruction is evident in the provided artifacts.
The supplied scan context reports Unicode control characters. The visible content appears coherent and benign, but unusual hidden formatting can make review harder.
Pre-scan injection signals: unicode-control-chars
If installing, prefer reviewing the raw Markdown source or a normalized copy before trusting the workflow.