ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gstack Openclaw Skills

v1.0.0

gstack 的 WorkBuddy/OpenClaw 适配版本。源自 gstack (Y Combinator Garry Tan),专为 WorkBuddy/OpenClaw 等 AI 助手平台优化。包含 15 个专业工具,涵盖从产品构思到代码发布的完整开发流程。

0· 221·1 current·1 all-time
by@dsg12te-del

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dsg12te-del/gstack-openclaw-skills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gstack Openclaw Skills" (dsg12te-del/gstack-openclaw-skills) from ClawHub.
Skill page: https://clawhub.ai/dsg12te-del/gstack-openclaw-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gstack-openclaw-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install gstack-openclaw-skills
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description and many SKILL.md files describe developer workflows (code review, QA, ship, office-hours) and the included helper scripts (command_router.py, state_manager.py) are consistent with that purpose. However the package claims 'no special dependencies' and 'instruction-only' in registry metadata, yet contains an install.sh and executable helper scripts — suggesting more than pure prompt-level behavior. That's plausible for a workflow skill but is a modest inconsistency to surface.
!
Instruction Scope
The runtime docs and conversation examples instruct the agent to perform broad actions: read logs (auth.log), access working directories, run tests, modify files, run install scripts, restart services, push commits and create PRs, and deploy to production. Those operations require filesystem, network and credential access and go well beyond read-only assistance. The SKILL.md does not declare or limit these accesses, which is scope creep and increases potential for unintended access or exfiltration.
!
Install Mechanism
Registry has no formal install spec, yet the repo includes an install.sh and the FINAL_SUMMARY documents a one-click install that clones https://github.com/AICreator-Wind/gstack-openclaw-skills.git and copies files into ~/.openclaw/skills/. An included install script that clones and writes files is higher-risk than a purely instruction-only skill: it will write to disk and may run arbitrary shell commands. The clone target is a third-party GitHub repo (not obviously the registry owner); without inspecting install.sh contents, this is potentially unsafe.
!
Credentials
requires.env lists no credentials, yet the documentation shows actions that normally require credentials (git push, PR creation, deploy, restarting services). The skill appears to rely on whatever credentials exist in the user's environment (local git config, SSH keys, cloud CLI creds). Not declaring or limiting this implicit use of existing credentials is a mismatch and raises the risk that the skill will perform privileged actions using the user's credentials without explicit consent.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The package claims a one-click conversational install which implies the agent will write files into the user's skills directory and possibly persist state via the included state_manager — those are expected for an installed skill. This level of persistence is reasonable for a workflow skill, but combined with the concerns above (install script + broad runtime actions) increases the blast radius if the install or scripts are malicious.
What to consider before installing
This skill appears coherent for a developer workflow toolkit, but exercise caution before installing. Specifically: - Inspect install.sh and the two Python scripts (command_router.py, state_manager.py) yourself before running anything; look for network calls, curl/wget, obfuscated commands, or calls to external endpoints. - Because the docs describe cloning a GitHub repo and writing into ~/.openclaw/skills/, run the install script in a sandbox or VM first—not on a production workstation. - Note the skill's examples show reading logs, editing files, running tests, restarting services, and pushing commits: these use your local credentials (git, cloud, system). Only allow the skill to run if you accept that it may use those existing credentials implicitly. - If you want to proceed, review the remote repository (https://github.com/AICreator-Wind/gstack-openclaw-skills.git) and confirm maintainers/trust, or manually copy vetted files rather than running an automated installer. - If you lack the ability to audit the scripts, avoid conversational one-click install; prefer manual installation after code review. If you want, I can summarize the install.sh and the two Python scripts (command_router.py, state_manager.py) for suspicious patterns—provide their contents or allow me to fetch them and I’ll review line-by-line.

Like a lobster shell, security has layers — review code before you run it.

latestvk97222ct1w0pgkg4jnj09k723x83zkxr
221downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@dsg12te-del
latest
Download

gstack-openclaw-skills - gstack 的 WorkBuddy 适配版

源自 gstack (Y Combinator CEO Garry Tan),适配 WorkBuddy/OpenClaw

简介

gstack-openclaw-skills 是 gstack 的开源 WorkBuddy/OpenClaw 适配版本。gstack 是 Y Combinator 总裁兼 CEO Garry Tan 开源的 Claude Code 设置,包含 15 个专业工具。

Garry Tan 声称在 60 天内使用 gstack 编写了超过 60 万行生产代码(35% 是测试),每天可完成 1-2 万行可用代码

核心哲学

完整性原则 (Boil the Lake)

"不要做半桶水,要做就做一整桶"

AI 辅助编程应该追求完整实现,而非走捷径。识别问题后必须实际修复,完成一项任务意味着真正完成。

智能借鉴

在借鉴其他产品的功能时,始终思考:

  1. 该功能在原始产品中为何有效?
  2. 该功能在自己的产品中可能成功还是失败?
  3. 需要哪些适配才能使其在自己的产品中成功?

技能目录

产品构思阶段

技能描述
office-hoursYC 办公时间,验证产品创意
plan-ceo-reviewCEO 视角评审计划
plan-eng-review工程经理视角评审架构
plan-design-review设计师视角评审设计

开发阶段

技能描述
review高级工程师代码审查
investigate调试调查专家
design-consultation设计咨询

测试发布阶段

技能描述
qaQA 负责人测试并修复 bug
qa-onlyQA 报告员(纯报告)
ship发布工程师自动化发布

文档与回顾

技能描述
document-release技术作家更新文档
retro工程经理团队回顾

强力工具

技能描述
codexOpenAI Codex 独立审查
careful危险操作警告
freeze文件编辑锁定
guard完全安全模式

推荐工作流

1. /office-hours       → 向 AI 描述你想构建的产品
2. /plan-ceo-review  → CEO 视角评审功能想法
3. /plan-eng-review  → 工程经理锁定技术架构
4. /plan-design-review → 设计师评审设计
5. /review           → 高级工程师审查代码
6. /qa               → QA 测试暂环境
7. /ship             → 发布代码

使用方法

在 WorkBuddy 中,你可以通过以下方式使用这些技能:

  1. 直接调用:告诉 WorkBuddy 你想使用的技能,如"使用 office-hours 技能"
  2. 场景触发:描述你的需求,WorkBuddy 会自动推荐合适的技能
  3. 组合使用:多个技能配合使用,形成完整工作流

与 gstack 的区别

特性gstack (原版)gstack-openclaw-skills
平台Claude Code通用 AI 助手
命令格式Slash 命令技能调用
依赖Bun、Git、浏览器无特殊依赖
本地脚本包含已转换为纯 prompt

许可证

MIT License - 详见 LICENSE 文件。

致谢

  • 感谢 Garry Tan 创建 gstack
  • 本项目仅供学习交流使用

版本: 1.0.0
更新日期: 2025-03-19

Comments

Loading comments...