ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spec Developer

v1.0.0

自动化 Spec 驱动开发流程 (spec-draft, spec-plan, spec-execute)

0· 65·0 current·0 all-time
by@soponcd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: drafting specs, planning tasks, and executing tasks (modifying code, running tests) are coherent with a spec-developer skill. The resources it needs (repository files, test script) are appropriate for that purpose.
!
Instruction Scope
Runtime instructions tell the agent to read/write project files (specs/, specs/tasks.md, .agent/skills/... template, CLAUDE.md), modify/implement code, create session tasks, and run ./tools/run_native_tests.sh. Those actions are powerful (code changes, executing test scripts) and the SKILL.md provides no guardrails (dry-run mode, PRs, scoping to specific paths). The template path referenced (.agent/skills/spec-developer/templates/feature-spec.md) is required but the skill has no install step to ensure that template exists.
Install Mechanism
Instruction-only skill with no install spec; nothing will be written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
The skill declares no environment variables or credentials. The instructions also do not request external API keys. However, executing local test scripts can implicitly rely on environment or local secrets (not declared), so you should confirm the test script's behavior.
Persistence & Privilege
always:false (normal) and autonomous invocation allowed (default). Because the skill can modify code and run tests, allowing it to run autonomously increases risk; consider restricting autonomous invocation or requiring explicit user confirmation before any repository modifications.
What to consider before installing
This skill is broadly coherent with its stated purpose but it can modify your repository and run local test scripts. Before installing: (1) verify the referenced template (.agent/skills/spec-developer/templates/feature-spec.md) actually exists or that the SKILL.md will be updated to provide it; (2) review ./tools/run_native_tests.sh to ensure it is safe and won't leak secrets or perform unexpected network calls; (3) prefer a dry-run or require manual review/PRs rather than direct commits—ensure the skill opens changes as draft commits/PRs instead of pushing directly; (4) limit autonomous invocation or require explicit confirmation before spec-execute runs; (5) backup the repo or run the skill in an isolated clone first. These steps will reduce the chance of unintended or destructive changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770spnw9n62dsxzzs8rf0qrh83km8n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis

Comments