Skillv1.0.3

ClawScan security

Speckit Workflow for Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 6:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (orchestrating a spec-driven workflow) but asks the agent to modify repository state and many agent-specific files and relies on the agent to perform (and honor) potentially sensitive git operations — these behaviors deserve caution before installation.
Guidance: This skill appears to do what it says (orchestrate Spec-Driven Development) and ships useful templates and bash scripts, but it will write files into your repository, create feature branches, and update many agent-specific files (CLAUDE.md, QWEN.md, .github/agents/..., .cursor rules, etc.). Before installing or enabling automated git operations: 1) Run it in a disposable or test repository first so you can observe what files it creates/overwrites; 2) Back up any existing agent configuration files or templates in your repo; 3) Confirm the agent asks you for explicit permission before performing git commit/push/branch creation and only grant that permission if you trust it; 4) If you do not want repository changes, choose 'No' to automated git operations — the skill will still write files locally but should not perform git commands if the agent follows the SKILL.md; 5) If you use other agent tooling, review update-agent-context.sh to see exactly which files it will create/update and adjust or sandbox accordingly. If you want me to, I can extract the list of all files the scripts may touch (including the truncated files) and point out exact lines that create/modify them.
Findings: [pre-scan-injection-signals] expected: No injection signals were detected. The presence of many shell scripts that manipulate repository files and call git is expected for this skill.

Review Dimensions

Purpose & Capability: okName/description (Spec-Driven Development orchestrator) align with included templates and bash scripts: creating specs, plans, tasks, feature directories, and delegating to subskills is expected. The README explicitly requires Git access (SSH/credential helper) which matches the scripts' use of git.
Instruction Scope: noteSKILL.md instructs the agent to copy the bundled .specify/ directory into the project and to spawn sub-agents for each phase — this is consistent with the stated workflow. However the runtime scripts (notably update-agent-context.sh) will create/update many repository-level agent files (CLAUDE.md, QWEN.md, .github/agents/copilot-instructions.md, .cursor rules, etc.). That behavior is within a plausible 'agent context' purpose, but it expands scope beyond just spec files: it modifies or creates files that could affect other agent integrations or workflows. Also the workflow assumes the agent will ask for and obey user permission for git actions, but enforcement is up to the agent (the code does run git commands like checkout, fetch).
Install Mechanism: okInstruction-only skill with bundled scripts and templates — no network downloads, package installs, or external install URLs. The highest-risk install-types (downloading and executing arbitrary archives) are not used here.
Credentials: okNo environment variables or credentials are declared in the metadata. The scripts rely on standard git environment (SSH keys, credential helpers) and an optional SPECIFY_FEATURE env var. That is proportionate to a tool that manipulates repo branches and files. No unrelated secrets are requested.
Persistence & Privilege: concernThe skill will create or update repository-level agent files (CLAUDE.md, QWEN.md, .github/agents/..., .cursor rules, etc.) and may create files at the project root. This can alter other agents' configurations or project metadata. While 'always' is false, the skill's scripts explicitly modify repository content and may run git operations (checkout, fetch, branch creation). Users should be aware it can change repository state and create/overwrite files that affect other tooling.