ClawHub

Auto Dev Pipeline

v1.0.0

Complete automated development pipeline for one-person companies. Use when a user provides a simple app idea and wants a fully automated development process...

0· 127·0 current·0 all-time
by唐超@tc1993
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description match the SKILL.md: the skill is an orchestrator that coordinates prd-skill, dev-skill, and qa-skill to produce PRD → code → tests. It declares no binaries, env vars, or installs, which is reasonable for an instruction-only orchestration skill.
Instruction Scope
Instructions explicitly spawn sub-agents (sessions_spawn), monitor completion, and read/write project artifacts in output/... which is appropriate for a pipeline orchestrator. Note: the skill assumes access to session-management APIs and a writable output directory; it does not declare config paths but the file I/O it describes is consistent with its purpose. The SKILL.md does not instruct reading unrelated system files or exfiltrating data to external endpoints.
Install Mechanism
No install spec and no code files — lowest-risk deployment model. There is nothing downloaded or written at install time by this skill itself.
Credentials
No environment variables, credentials, or config paths are required by this skill, which aligns with its role as a coordinator. Caveat: the child skills it spawns (prd-skill, dev-skill, qa-skill) may themselves request credentials or access; those should be reviewed separately.
Persistence & Privilege
The skill is not forced-always and uses normal autonomous invocation. Because it spawns sub-agents automatically, it can broaden runtime actions (and the blast radius) depending on what the sub-skills are allowed to do — this is expected for an orchestrator but worth considering.
Scan Findings in Context
[regex-scan-none] expected: No code files were present so the static regex scanner had nothing to analyze; this is expected for an instruction-only orchestration skill.
Assessment
This skill itself is an instruction-only orchestrator and appears consistent with its stated purpose. Before installing or enabling it: 1) verify the identities, provenance, and permissions of the child skills it spawns (prd-skill, dev-skill, qa-skill) — those sub-skills could request credentials or perform network/system actions; 2) confirm you are comfortable granting the agent session-management access and write access to the output directory (it will create Xcode projects and test artifacts); 3) if you do not want fully autonomous runs, consider disabling autonomous invocation or restrict when the skill can be invoked; and 4) check any configured model names (e.g., 'deepseekchat') and resource/time limits so the agent cannot overrun quotas or make unexpected external calls. If you can inspect the sub-skills' SKILL.md files or their registry entries, review them before use — issues are most likely to come from those child skills, not this orchestrator.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aenr2ke391vhk91nvw94ct1838byy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments