Claude Code Openclaw

v1.0.0

Delegate implementation, review, and official BMad agent-driven workflows to local Claude Code. Use for: (1) substantial coding/refactoring/review work, (2)...

⭐ 0· 102·1 current·1 all-time

by@secludedridge

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The scripts and SKILL.md align with the stated purpose (orchestrating local Claude Code and BMad workflows). However the registry lists no required binaries or credentials while the code expects external CLIs (e.g., a 'claude' CLI and an 'openclaw' CLI) and uses environment variables like CLAUDE_CODE_BIN and CLAUDE_HOOKS_EVENT_LOG. The lack of declared external tooling is an inconsistency rather than maliciousness.

ℹ

Instruction Scope

SKILL.md instructs agents to run repository-local scripts that inspect and modify repo files (e.g., _bmad/_config, _bmad-output, story files) and to run orchestrator flows. That behavior is in-scope for a repo orchestration tool. Be aware the runtime flow can read many repo artifacts and dispatch final updates (via openclaw), which could transmit repository content to an external messaging target if configured.

✓

Install Mechanism

There is no install spec (instruction-only at registry level) and the ship includes local Python scripts. No remote downloads or archive extraction are performed by the registry; risk from the install mechanism itself is low. Still, these included scripts will be executed at runtime if invoked.

!

Credentials

The skill declares no required environment variables or primary credential, yet the code reads environment variables (CLAUDE_CODE_BIN, CLAUDE_HOOKS_EVENT_LOG) and invokes external binaries (claude, openclaw). The openclaw invocation in claude_dispatch_update.py will attempt to send messages (potentially containing run outputs/user-update.txt) to configured OpenClaw targets — this can exfiltrate repo content if an OpenClaw account/target is configured. The skill asks for no explicit credentials in metadata while having the ability to use local CLI credentials or config implicitly.

✓

Persistence & Privilege

The skill does not request always:true and does not modify other skills. Some scripts can install Claude hooks (there is an install_claude_hooks.py), and the orchestrator writes run/checkpoint files in the repo — this is expected for an orchestrator and limited to the repository scope.

What to consider before installing

This package appears to implement a local orchestrator for Claude Code / BMad workflows and includes many helper scripts. Before installing or running it: 1) Inspect the scripts (especially claude_dispatch_update.py, claude_code_run.py, install_claude_hooks.py) to confirm you trust what they will run and write in your repo. 2) Note that it may call external CLIs (claude, openclaw) and will use environment variables (CLAUDE_CODE_BIN, CLAUDE_HOOKS_EVENT_LOG) even though none are listed in the registry metadata — ensure you understand and control those CLIs and any credentials they use. 3) Be cautious with notify-account/notify-target options: they can cause automated messages containing run outputs or repo content to be sent externally via the openclaw CLI. 4) If you want to reduce risk, run the scripts in an isolated environment (non-production repo copy, limited filesystem access, no OpenClaw credentials) and/or review and run them step-by-step rather than giving full automated permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dv48ttpwnssxvhftendn9m9833ssg

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Claude Code Operator (OpenClaw)

Use local Claude Code as the implementation engine. Keep the orchestration disciplined, evidence-based, and aligned with the repo's installed BMad tooling.

Supported execution paths

Use exactly one of these paths:

One-shot headless task → scripts/run_claude_task.sh
Direct slash workflow → scripts/claude_code_run.py
Official BMad agent persona → scripts/run_bmad_persona.py

Never use:

raw claude -p
tmux as the default Claude carrier
ad-hoc exec(background:true) + poll loops
hand-written generic persona prompts when run_bmad_persona.py can express the task

Preferred orchestration pattern

Prefer the Spawn and Yield pattern when ACP is available:

start the Claude task with sessions_spawn
pass --notify-parent-session
immediately sessions_yield
let completion wake the parent session

If ACP is unavailable, use the supported local runner above. Do not invent a fourth path.

Core role

You are the Project Owner and orchestration layer.

Let Claude Code / BMad agents do the implementation work.
Absorb routine elicitation and make the decision yourself.
Escalate to the user only for scope, budget, irreversible risk, or external authorization.
Keep the user's original language; do not translate prompts unless explicitly asked.

BMad operating rules

For repos that contain _bmad/, treat BMad as the project operating system, not as loose inspiration.

Before running anything, inspect the repo's actual installed capability set:

_bmad/_config/bmad-help.csv
.claude/commands/
or scripts/run_bmad_persona.py --cwd <repo> --list

Default implementation loop

Use the official implementation cycle unless there is a deliberate reason not to:

SM → CS
DEV → DS
DEV → CR
If fixes are needed, back to DS
Epic complete → SM → ER

When to use direct workflows instead

Use direct /bmad-bmm-* or /bmad-tea-* workflows when:

the user explicitly asks for that workflow
you are recovering a specific interrupted step
you need precise single-step monitoring or retry behavior

Default to official agent-driven delivery when the user wants “real BMad” execution.

How to invoke Claude Code

1) One-shot headless task

Use for bounded tasks such as review, summary, targeted fix, or analysis.

scripts/run_claude_task.sh --prompt "<structured task>"

2) Direct slash workflow

Use for a specific installed workflow.

Rules:

first non-empty line must be a slash command
one workflow per run
keep the prompt minimal

Example:

scripts/claude_code_run.py \
  --mode interactive \
  --cwd <repo> \
  --workflow bmad-bmm-code-review \
  --prompt-file <prompt.txt>

3) Official BMad agent persona

Use for role-correct BMad execution.

Prefer the wrapper:

scripts/run_bmad_persona.py \
  --cwd <repo> \
  --persona sm \
  --trigger CS \
  --story-id 4-1-agent-api-auth-and-security

You may also pass an installed workflow command name as the trigger when recovering or matching a user-facing command exactly, for example --trigger bmad-bmm-create-story.

More examples:

scripts/run_bmad_persona.py --cwd <repo> --persona pm --trigger CP
scripts/run_bmad_persona.py --cwd <repo> --persona architect --trigger CA
scripts/run_bmad_persona.py --cwd <repo> --persona dev --trigger DS --story-id 4-1-agent-api-auth-and-security --story-path _bmad-output/implementation-artifacts/story-4-1-agent-api-auth-and-security.md
scripts/run_bmad_persona.py --cwd <repo> --persona dev --trigger CR --story-id 4-1-agent-api-auth-and-security

run_bmad_persona.py will:

read _bmad/_config/bmad-help.csv
resolve trigger → agent → installed command → workflow
generate a legal slash-first prompt
bind the correct workflow for orchestrator artifact rules
auto-enable artifact-based stop for major artifact-producing flows

Prompt rules

Keep prompts short and structured.

Always include only what is needed:

the exact workflow or agent trigger for this run
target files or story identifiers
completion criteria
default interaction policy

For BMad prompts, default to:

Continue / C
no Advanced Elicitation / A
no Party Mode / P
no YOLO / Y unless explicitly authorized

Do not paste long PRD / architecture / history into the prompt when files already exist. Prefer file paths and targets.

Completion criteria

Trust artifacts over terminal vibes.

For BMad, prefer:

expected output file exists
story status / sprint-status advanced correctly
review output exists
tests actually ran and passed when implementation or review requires it

Do not treat spinner activity, transcript growth, or exit code alone as success.

Token discipline

Conserve tokens aggressively:

use the shortest legal slash-first prompt
prefer structured context files over repeated prose
keep hooks and event summaries compact
keep completion updates terse and action-oriented
avoid re-injecting large run metadata into the parent session

Read these references as needed

references/bmad-agent-trigger-cheatsheet.md — official role/trigger matrix
references/bmad-method-integration.md — BMad operating guidance in OpenClaw
references/bmad-v6-agent-workflow-map.md — broader agent/workflow map
references/bmad-prompt-templates.md — prompt templates
references/spec-driven-workflow.md — Spec Kit / OpenSpec flows
references/claude-orchestrator-ops.md — operational troubleshooting and recovery commands
references/claude-orchestrator-profiles.yaml — workflow/profile behavior
references/claude-orchestration-control-plane.md — deep architecture notes; read only when modifying the control plane itself

Resource files

Primary runtime:

scripts/run_claude_task.sh
scripts/claude_code_run.py
scripts/run_bmad_persona.py
scripts/claude_orchestrator.py

Core runtime support:

scripts/claude_artifact_probe.py
scripts/claude_checkpoint.py
scripts/claude_workflow_adapter.py
scripts/claude_watchdog.py
scripts/install_claude_hooks.py
scripts/claude_hook_event_logger.py
scripts/claude_dispatch_update.py

Ops / recovery tools:

scripts/ops/claude_run_report.py
scripts/ops/claude_latest_run_report.py
scripts/ops/claude_reconcile_runs.py
scripts/ops/claude_recover_run.py
scripts/ops/claude_user_update.py

Dev / maintenance tools:

scripts/dev/claude_acceptance_check.py
scripts/dev/claude_v2_smoke.py
scripts/dev/claude_event_summary.py

When improving this skill, prioritize fixes that remove false-progress signals and ensure artifact-complete runs actually terminate and finalize cleanly.

Files

35 total

Select a file

Select a file to preview.

Comments

Loading comments…