ClawGator Superpowers
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a software-development workflow skill, but it persistently auto-injects strong instructions at session start and includes local command execution, so users should review it before installing.
Install only if you want this skill to actively steer development sessions. Before enabling it, inspect or disable the SessionStart hook, verify the source, and require confirmation before git merges, discards, or other repository-changing actions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can steer future sessions automatically, including resumed or cleared sessions.
The skill registers an asynchronous command hook that runs on session lifecycle events, giving it persistent behavior even when the user has not explicitly invoked the skill.
"SessionStart": [{ "matcher": "startup|resume|clear|compact", ... "command": "${CLAUDE_PLUGIN_ROOT}/hooks/session-start.sh", "async": true }]Make the session-start hook opt-in, disclose it prominently in metadata and documentation, and provide a simple way to disable it.
The agent may force this workflow into tasks where the user expected a quick answer or a different approach.
This instruction is overbroad and makes the skill's own invocation rule authoritative across many situations, which can override narrower user intent.
"If you think there is even a 1% chance a skill might apply, you ABSOLUTELY MUST invoke it"
Scope invocation to clearly defined development tasks and avoid absolute self-invocation language.
Installing the skill may cause local code to run at session start, not just provide passive instructions.
The package contains a hook that executes a shell script automatically, while the registry describes the package as having no install spec and being instruction-only.
"type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/session-start.sh"Declare the hook and command execution in metadata, document exactly what the script does, and require explicit user consent before enabling it.
A mistaken or premature action could change or discard code work.
The skill declares tools that can affect repository state, including merging or discarding a branch. This is purpose-aligned for a development workflow but high-impact.
"finish_development_branch": ... "enum": ["merge", "pr", "keep", "discard"]
Require explicit user confirmation before merge, PR creation, discard, or other repository-mutating actions.
Users have less information to verify where the code came from or whether it matches an upstream project.
The registry provenance is incomplete for a package that includes runnable code and hooks.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Verify the package source before installing and prefer a version with a public repository, pinned provenance, and accurate install metadata.
Project context or code may be shared among subagents more broadly than the user expects.
The workflow includes subagents and parallel agents, but the provided top-level artifacts do not define detailed data-sharing or permission boundaries for those agents.
"SUBAGENT-DRIVEN DEV" ... "Fresh subagent per task"
Review subagent prompts and limit what files, secrets, and project context are passed to subagents.