ClawHub
Back to skill
v1.0.0

Auto Dev Pipeline

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:48 AM.

Analysis

This is a disclosed instruction-only automation pipeline that chains other development skills and writes local project outputs, with no malicious behavior evident, but users should verify the referenced sub-skills before relying on the hands-off workflow.

GuidanceThis skill appears purpose-aligned for users who explicitly want a hands-off PRD-to-code-to-tests workflow. Before installing, confirm you trust the referenced prd-skill, dev-skill, and qa-skill, avoid putting secrets into app ideas, and manually review generated code and tests before building, deploying, or publishing anything.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
The pipeline uses OpenClaw's session management to automatically: 1. Spawn `prd-skill` sub-agent ... 2. Monitor PRD completion and trigger `dev-skill` ... 3. Monitor code generation and trigger `qa-skill`

The artifact clearly instructs a chained, automatic multi-agent workflow. This is central to the skill's stated purpose, but it means one user request can initiate multiple actions and generated outputs.

User impactA simple app idea may lead to a full automated PRD, development, and QA sequence without additional manual checkpoints.
RecommendationUse it only when you want the full automated pipeline, and review the generated PRD, code, and tests before building, publishing, or relying on them.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill coordinates prd-skill, dev-skill, and qa-skill

The main workflow depends on other named skills, but the reviewed package has no install spec or dependency/version declarations for them.

User impactThe safety and behavior of this pipeline depends on the installed versions of the referenced sub-skills, which are not reviewed here.
RecommendationBefore installing or running the pipeline, verify that prd-skill, dev-skill, and qa-skill are trusted, intended, and version-pinned where possible.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
User Input → prd-skill → PRD Document → dev-skill → SwiftUI Project → qa-skill → Test Suite

The artifact documents passing user requirements, generated PRDs, and generated code between multiple sub-agents. This is expected for the pipeline, but data boundaries and trust assumptions for those agents are not detailed.

User impactYour app idea, requirements, and generated code may be shared across the referenced sub-agents during the workflow.
RecommendationAvoid including secrets in app descriptions, and ensure the referenced sub-agents are trusted before using the pipeline with proprietary project details.