ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Workflow

v0.1.2

4-stage workflow for code changes: research → plan → user review → implement (TDD). Applies to all tasks requiring code changes: issue implementation, fix_pl...

0· 157·0 current·0 all-time
byes6kr@drumrobot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for drumrobot/code-workflow.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Code Workflow" (drumrobot/code-workflow) from ClawHub.
Skill page: https://clawhub.ai/drumrobot/code-workflow
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install code-workflow

ClawHub CLI

Package manager switcher

npx clawhub@latest install code-workflow
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with a code-change workflow. The SKILL.md's required actions (research, plan, tests, commits) are coherent with the stated purpose. However the skill references running pnpm/tsc, git operations, and a 'tdd' skill dependency but the registry metadata declares no required binaries or credentials — a mismatch that should be reconciled.
!
Instruction Scope
Instructions direct the agent to read the repo deeply and write files under .ralph/docs/generated/, run tests/typechecks, and commit changes. They also require the agent to block for user review and then proceed to implement and commit without asking. The step that commands automatic committing and the explicit requirement to always write research/plan files ("Do not summarize in chat — always write to a file") expand the agent's write scope and may be surprising.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing will be downloaded or written by an installer step. That is the lowest-risk install model.
!
Credentials
The skill declares no required env vars or credentials but prescribes running tools (pnpm, tsc, git) and using the 'tdd' and 'skill-kit' skills. Network access and auth may be required for self-upgrade (/skill-kit upgrade). The metadata should explicitly list the runtime binaries and any credential/access needs; absent that, it's unclear what privileges the skill assumes.
!
Persistence & Privilege
always:false (good), but the skill instructs the agent to perform permanent actions in the repo (write files, run commits) and to self-improve by running /skill-kit upgrade code-workflow (modifying its own skill). Automatic committing and self-upgrade increase the blast radius if the skill misbehaves or is misconfigured.
What to consider before installing
This skill is largely consistent with a coding workflow, but take precautions before enabling it: - Expect it to read the repository and create files at .ralph/docs/generated/*. Review those files and the path policy for your project. - It will run tests and typechecks (pnpm/tsc) and perform git operations — ensure those tools are available and that running them automatically is acceptable. - The SKILL.md says it will commit changes automatically after passing tests and will not prompt for commit confirmation. If you want final control over commits, do not enable automatic commits or require an explicit user approval step. - The skill instructs itself to run /skill-kit upgrade code-workflow (self-upgrade). If you are uncomfortable with a skill modifying its own code, disable or vet that behavior. - Ask the author to list required binaries and any expected network/auth needs in the metadata, and to add an explicit confirmation step before committing or performing destructive git actions. - If you try it, run it in a safe sandbox or on a cloned repo until you confirm it behaves as you expect.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jb7rpbnrmjm5f39vp1dd0n84kmff
157downloads
0stars
3versions
Updated 2w ago
v0.1.2
MIT-0
es6kr@drumrobot
latest
Download

Coding Workflow

A Research → Plan → User Review → Implement 4-stage procedure for code change tasks.

Trivial tasks such as simple configuration changes or 1~2 line edits may skip this workflow.

Step-by-Step Procedure

Step 1: Research (Read the Codebase)

Read and understand the relevant code deeply, then write findings to .ralph/docs/generated/research-<task>.md.

  • Do not skim a file and move on at the signature level
  • Understand existing layers, ORM relationships, and duplicate API presence
  • Mandatory exploration of existing test files: Find related *.test.*, *.spec.* files and understand what cases are already covered
  • Do not summarize in chat — always write to a file

Step 2: Plan (Write Plan MD)

Write a detailed implementation plan in .ralph/docs/generated/plan-<task>.md.

Include:

  • Detailed description of the approach
  • Code snippets showing actual changes
  • List of file paths to be modified
  • Considerations / trade-offs
  • Verification plan (required): For each change group, specify verification procedure, command/URL, and expected result

Step 3: User Review

After writing the plan MD, report STATUS: BLOCKED and wait for user review.

Report content:

  • Plan file path: .ralph/docs/generated/plan-<task>.md
  • Number of changed files, summary of modification scope

Items for the user to verify:

  • Is the approach appropriate?
  • Is the modification scope within the issue/PR scope?
  • Does it match existing patterns/conventions?

On user feedback → revise plan and re-review. On approval → proceed to step 4.

Step 4: Implement (TDD applied by default)

Once the plan is approved, implement using the tdd skill's cycle topic (Red→Green→Refactor). After implementation, run tests using the tdd skill's run topic and report results.

TDD opt-out: If the user specifies --no-tdd, implement without tests.

Commit after implementation: If build + tests pass, proceed to commit. Do not ask the user whether to commit. If a related existing commit exists, confirm whether to amend via AskUserQuestion.

Other:

  • Mark completed tasks/steps as [x] in fix_plan.md
  • Do not stop until all steps are complete
  • Do not use unknown types
  • Continuously run type checks during implementation (pnpm typecheck or tsc --noEmit)
  • Do not introduce new type errors

When Going in the Wrong Direction

Do not patch over a bad approach — revert and restart with a narrower scope.

cmd /c git checkout -- <files>   # revert changes

Revise the plan and restart from step 3 (user review).

Applicability by Task Complexity

Task ComplexityScope
trivial (1~2 line edits, config value changes)Can be skipped — implement directly
moderate (3~10 files, logic changes)Start from step 2 (plan)
complex (10+ files, new features, architecture changes)Perform all steps from step 1 (research)

Self-Improvement

After this skill invocation completes, self-improve based on the conversation:

  1. Detect limitations, failures, and workaround patterns for this skill in the conversation
  2. If improvement candidates are found, run /skill-kit upgrade code-workflow

Comments

Loading comments...