Gstack Openclaw

v2.5.10

世界顶级思维合集 —— 融合Google Staff Engineer、Martin Fowler/Kent Beck/Jeff Dean工程思维、Paul Graham/Sam Altman创业思维、Elon Musk创新思维、Stripe/Airbnb设计思维。v2.5.10：移除install.sh以完全消...

⭐ 1· 1.1k·4 current·4 all-time

by@leo-jiqimao

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for leo-jiqimao/gstack-openclaw.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Gstack Openclaw" (leo-jiqimao/gstack-openclaw) from ClawHub.
Skill page: https://clawhub.ai/leo-jiqimao/gstack-openclaw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gstack-openclaw

ClawHub CLI

Package manager switcher

npx clawhub@latest install gstack-openclaw

Security Scan

Capability signals

CryptoCan make purchasesRequires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name/description (a role-driven engineering productivity kit) matches the provided content: many role-oriented SKILL.md files, templates and examples. It does not declare any required binaries, env vars, or credentials. The included examples show integrations with GitHub, CI, WebPageTest, PSI, Datadog, Prometheus, Playwright, etc., which are reasonable for a documentation skill that teaches integrations — but those examples reference API keys and network calls even though the top-level SKILL.md/SECURITY.md claim 'no external API calls'. This is plausible (examples for users), but the presence of those examples should be expected and is worth noting.

Instruction Scope

The main SKILL.md and SECURITY.md repeatedly claim the skill is documentation-only and does not perform network calls or run scripts. However: (1) multiple places (SKILL.md and README) still show manual install commands using git clone and './install.sh' despite changelog/SECURITY.md stating install.sh was removed in v2.5.10 — that inconsistency could mislead users into running a script that may not exist or may be different in other versions; (2) subskill docs include runnable code snippets that read local state (e.g., Playwright examples that read localStorage) and show examples that POST telemetry (fetch('/analytics')) or curl WebPageTest/PSI APIs (with API keys). Those are examples, not active code in the skill, but they provide actionable commands that — if executed by the user or an agent with tooling permissions — could access local tokens or external services. The SKILL.md also instructs creating GSTACK.md in the project root (a file write), which contradicts wording that it 'does not read/write user files' unless done via standard OpenClaw tools. Overall the instructions are mostly documentation, but the mixed messaging and executable examples are a scope concern.

ℹ

Install Mechanism

There is no declared install specification and no code files to execute; the registry metadata indicates an instruction-only skill. The README and SKILL.md mention 'clawhub install' (expected) but also include 'git clone' plus './install.sh' commands — even though v2.5.10 claims install.sh was removed. Because there's no packaged install spec and no archive downloads, installation risk is low, but the leftover references to an install.sh are an inconsistency worth verifying before running any manual commands you find in the docs.

ℹ

Credentials

The skill declares no required env vars or secrets (primaryEnv none). However many documentation examples show using service API keys (WebPageTest k=YOUR_API_KEY, PSI YOUR_API_KEY, Datadog/NewRelic examples, Kubernetes secretKeyRef). These are typical templates and do not mean the skill will request or exfiltrate credentials, but they do mean that using the documented integrations will require you to supply credentials elsewhere. The skill itself does not ask for credentials, which is proportionate, but the docs include code that could read local tokens (browser localStorage access) — users should not grant the agent tooling access to sensitive environments or secrets unless intended.

✓

Persistence & Privilege

The skill is not always-enabled (always:false) and does not request elevated persistence or modify other skills. Autonomous invocation is allowed (disable-model-invocation:false), which is normal. There is no evidence this skill attempts to change other skills or system-wide settings.

What to consider before installing

Summary of what to check before installing or using this skill: - The package appears to be documentation-only and coherent with its stated purpose (role-based engineering guidance). That said, the repository/documentation contains contradictory lines: several places still show a manual install using './install.sh' while the changelog and SECURITY.md say install.sh was removed. Do NOT run arbitrary install scripts without inspecting them first. - Many examples in the subskills show runnable code that accesses network APIs, posts telemetry, or reads local browser state (e.g., Playwright page.evaluate retrieving localStorage). These are templates/examples — the skill itself doesn't declare credentials — but if you execute those examples (or grant the agent browser/control tooling), they could read local tokens or send data off-host. Only run such scripts in safe environments and avoid running browser automation against sites holding secrets or tokens. - Prefer the documented clawhub install path. If you must use manual install, inspect the repository on GitHub (https://github.com/openclaw/gstack-openclaw) and verify there is no install.sh or other executable you don't trust. Clone the repo and manually inspect files before executing anything. - Don't paste API keys, tokens, or other secrets into chat prompts. If you want the skill to reason about integrations, provision credentials separately to the appropriate official skills or tooling and grant the minimal scope required. - If you plan to use the 'browse' or automation examples, run them in a sandboxed/test environment and review any generated scripts for calls that send data externally (fetch/curl) or read local storage. - If you want higher assurance, ask the author/maintainers for confirmation (or open an issue) that the published package truly contains no install scripts or executables; verify the published tag/release on the GitHub repo matches the registry package. Why 'suspicious' and not 'malicious': There is no clear evidence of deliberate misdirection or hidden executables — the main issue is inconsistent documentation that could mislead less-technical users into running commands. Those inconsistencies and the presence of many actionable network examples justify caution.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis

latestvk97dc41jr8hb57gd56kb9wzagh84hfdc

1.1kdownloads

1stars

26versions

Updated 2w ago

v2.5.10

MIT-0

⚠️ 安全声明 | Security Notice

本技能为纯文档型技能（Documentation-only Skill）。

✅ 不包含任何可执行代码或外部 API 调用

✅ 不需要任何 API Key、凭证或 secrets

✅ 不访问网络、不读写用户文件（除标准 OpenClaw 工具调用外）

✅ 所有功能通过 AI 角色提示词（prompts）实现

✅ 无安装脚本，无外部依赖

提到的外部服务（GitHub、CI/CD、monitoring）仅用于：

在对话中提供最佳实践建议

指导用户如何配置这些服务

不直接调用这些服务的 API

gstack

gstack for OpenClaw —— 把 Garry Tan 的虚拟工程团队带到 OpenClaw 生态

将 AI Agent 从一个通用助手转变为结构化工程团队的 8 个核心角色

🎯 设计理念

Garry Tan (YC CEO) 用 Claude Code + gstack 在 60 天内产出 60 万行代码。我们把它移植到 OpenClaw，让每个人都能拥有虚拟工程团队。

核心思想：不是把 AI 当工具用，而是当团队管 —— 每个阶段切换不同专家角色。

📦 包含技能

技能	角色	用途
`gstack:ceo`	CEO / 产品经理	产品规划、需求分析、痛点挖掘
`gstack:eng`	工程经理	架构设计、技术选型、数据流规划
`gstack:design`	设计评审师	设计评审、AI Slop检测、设计系统生成
`gstack:investigate`	系统调试专家	根因分析、3次失败停止、Bug调查
`gstack:security`	首席安全官	OWASP Top 10、STRIDE威胁建模
`gstack:land`	部署验证工程师	PR合并、生产部署、健康验证
`gstack:canary`	金丝雀监控工程师 ⭐ NEW	金丝雀分析、自动回滚决策
`gstack:benchmark`	性能基准工程师 ⭐ NEW	Core Web Vitals、性能回归检测
`gstack:review`	代码审查员	代码审查、Bug 发现、性能优化建议
`gstack:qa`	QA 负责人	测试策略、验收标准、质量把关
`gstack:ship`	发布工程师	发版 checklist、部署流程、上线检查
`gstack:browse`	浏览器测试	网页抓取、功能验证、UI 检查
`gstack:retro`	复盘师	项目复盘、经验总结、改进建议
`gstack:office`	办公室时间	需求澄清、方向校准、头脑风暴

🚀 快速开始

1. 安装

clawhub install openclaw/gstack

或手动安装：

git clone https://github.com/openclaw/gstack-openclaw ~/.openclaw/skills/gstack
cd ~/.openclaw/skills/gstack && ./install.sh

2. 使用

在项目根目录创建 GSTACK.md 文件，记录项目上下文。

然后随时调用：

示例命令：

@gstack:ceo 帮我分析一下这个功能的产品价值
@gstack:review 审查一下这个模块的代码
@gstack:ship 准备发布 v1.0.0

🎭 工作流示例

新功能开发流程

@gstack:office — 澄清需求，确定方向
@gstack:ceo — 产品规划，写 PRD
@gstack:design — 设计评审，生成设计系统
@gstack:eng — 技术架构设计
【开发中...】
@gstack:review — 代码审查
@gstack:qa — 测试验收
@gstack:ship — 发布上线
@gstack:retro — 一周后复盘

📁 项目结构

文件组织：

SKILL.md — 本文件（主技能描述）
README.md — 详细使用文档
GSTACK.md.template — 项目上下文模板
_skills/ — 子技能目录
- plan-ceo/ — CEO 技能
- plan-eng/ — 工程经理技能
- design/ — 设计评审技能 (v2.5.0)
- investigate/ — 系统调试技能 (v2.5.1)
- security/ — 安全审计技能 (v2.5.2)
- land/ — 部署验证技能 (v2.5.3)
- canary/ — 金丝雀监控技能 (v2.5.4) ⭐ NEW
- benchmark/ — 性能基准技能 (v2.5.5) ⭐ NEW
- review/ — 代码审查技能
- qa/ — QA 技能
- ship/ — 发布技能
- browse/ — 浏览器测试技能
- retro/ — 复盘技能
- office/ — 办公室时间技能
- docs/ — 文档技能
- test/ — 测试技能
- deploy/ — 部署技能
- init/ — 初始化技能
- status/ — 状态追踪技能
- github/ — GitHub 集成技能
- notify/ — 通知技能
docs/ — 文档目录
- workflow.md — 完整工作流指南
- philosophy.md — 设计理念

🙏 致谢

Garry Tan —— 原创 gstack 作者
Y Combinator —— 持续推动创业生态
OpenClaw 社区 —— 让 AI Agent 触手可及

📄 License

MIT License —— 完全免费，随意使用、修改、分发

我们的目标：让每个开发者都能拥有 YC 级别的工程团队

Made with 🦞 by OpenClaw Community

Comments

Loading comments...