ClawGator Superpowers
v1.0.0Framework pengembangan perangkat lunak lengkap untuk tim ClawGator. Brainstorming, planning, eksekusi sistematis, TDD, debugging, code review, dan git worktrees. Trigger otomatis sebelum memulai proyek atau perubahan kode.
⭐ 3· 2k·9 current·10 all-time
by@renggap
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, SKILL.md, package.json and many files align with a developer workflow (brainstorming, TDD, git worktrees, debugging). The included utilities (graphviz renderer, git helper library, debugging scripts) are reasonable for this purpose. However, some included pieces (a SessionStart hook that injects the entire using-superpowers SKILL.md into session context and a script that suggests modifying ~/.openclaw/openclaw.json and restarting an openclaw service) are more intrusive than typical ‘documentation-only’ skills and exceed what a purely passive guidance skill would normally require.
Instruction Scope
SKILL.md instructs users to copy files into ~/.openclaw/extensions, edit ~/.openclaw/openclaw.json, and restart the OpenClaw gateway or service — these are system-level operations. The session-start hook (hooks/session-start.sh) emits a JSON payload that embeds the full using-superpowers SKILL.md and a warning which explicitly demands that 'IN YOUR FIRST REPLY...' the agent tell the user a specific message; that is an active context injection and an instruction for behavior on every session start. The skill also contains executable scripts (render-graphs.js, shell scripts, and code that can run git fetch via execSync) that, if invoked, will run shell commands and access the file system and network. Those behaviors go beyond passive guidance and broaden the agent's runtime actions.
Install Mechanism
There is no automatic remote installer or download step; the project is instruction + local files. No external URLs or archive extraction are used in an automated install spec. That reduces supply-chain risk compared to remote downloads. However, proposed manual install steps require copying files into user config directories and restarting services (kill -USR1 or systemctl), which are high-impact manual actions and should be done with care.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. Still, the code and scripts reference $HOME and other local paths, call git fetch (network), call external binaries (dot / graphviz), and instruct edits to ~/.openclaw/openclaw.json and restarting the gateway. Those file and process-level operations are consistent with a developer tooling skill, but they require filesystem and process privileges — make sure you only install this in an environment where such changes are acceptable. Also note the strong instruction in SKILL.md to invoke skills whenever there's a 1% chance they apply — that can cause broad invocation of other sub-skills and elevated access.
Persistence & Privilege
always:false (good), but the plugin registers a SessionStart hook that runs asynchronously and emits additionalContext on each session start. That gives the skill a persistent foothold in session initialization and injects a potentially large chunk of content (and an explicit behavioral directive) into the agent's context every time sessions start. This behavior is powerful and unexpected for many users; combined with the explicit rule to invoke skills aggressively, it increases the surface area for unintended autonomous actions.
What to consider before installing
Before installing, review these points:
1) Inspect hooks/session-start.sh carefully. It injects the whole 'using-superpowers' SKILL.md into session startup and includes a directive asking the agent to emit a particular warning in its first reply — that is an active context-injection and may affect every session.
2) Expect to run manual, system-level commands. The README/SKILL.md asks you to copy files into ~/.openclaw/extensions, edit ~/.openclaw/openclaw.json, and restart the gateway (kill -USR1 or systemctl). Only do this on machines where you control and trust the OpenClaw install.
3) The code contains scripts that run shell commands (child_process/execSync, dot, git fetch) and shell helpers (render-graphs.js, various .sh). These are normal for developer tooling, but verify you trust the author and run them in a safe environment (sandbox or non-production) the first time.
4) Confirm provenance. Source/homepage is unknown and owner ID is just an identifier. If this is meant for your org, prefer a vetted internal copy or ask the ClawGator author for an origin (git URL, commit history) before deploying broadly.
5) Test in a disposable environment first. Install locally in a throwaway user account or VM, run the session start to see what it injects, and verify no unwanted side effects occur (no unexpected network connections, no changes to system services you don't intend).
6) Consider modifying the skill before use: remove or alter the SessionStart hook (or make it opt-in), and avoid blindly following the 'invoke any skill with 1% applicability' rule — that guideline can escalate automated agent actions across many skills.
If you want, I can: a) show the exact lines in hooks/session-start.sh that you should pay attention to, b) list all files that execute shell/child_process, or c) suggest a minimal safe-install checklist for trying this plugin in a sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk97fxsdrtkhwp4655g8j2mxpas811xyh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.