Dev Team
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill has a clear development-orchestration purpose, but it gives spawned coding agents unsandboxed command/file access and can automatically act on GitHub and local worktrees.
Install only if you intentionally want a powerful local development orchestrator. Start with auto-merge, cron/LaunchAgent jobs, and automatic cleanup disabled; run it on disposable worktrees first; use least-privilege GitHub credentials; and avoid confidential repositories unless sharing code with the configured agent providers is acceptable.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A spawned subagent may be able to run commands and read or modify files with the user's local privileges, not just within a narrowly enforced sandbox.
The skill launches multiple coding agents with approval/sandbox bypasses and shell/read/write tools enabled by default.
"args": ["exec", "--dangerously-bypass-approvals-and-sandbox"] ... "args": ["--dangerously-skip-permissions", "-p"] ... "--approval-mode", "yolo", "--allowed-tools", "run_shell_command,write_file,read_file,grep_search"
Use only in disposable or well-backed-up worktrees, remove the dangerous bypass flags where possible, require per-action approvals, and constrain each agent to the minimum workspace and permissions needed.
If enabled or invoked on the wrong repository, the skill could comment on or merge GitHub pull requests using the user's account privileges.
The workflow can use the user's GitHub CLI identity to post PR comments and optionally queue/perform merges.
`--auto-merge` ... `gh pr merge --auto` ... `每个 reviewer 单独在 PR 下发表评论`
Keep auto-merge disabled unless explicitly needed, use a least-privilege GitHub account/token, and confirm the target repo/branch/PR before running review or merge automation.
A mistaken task state or bad subagent outcome could propagate into cleanup or history-pruning actions without a separate human checkpoint.
A single monitoring run can automatically trigger cleanup, queue synchronization, and pruning steps after checking agents.
Auto cleanup after check-agents... "$SKILL_DIR/scripts/cleanup-worktrees.sh" ... Sync queue status after check-agents... ... Prune queue history after check-agents...
Disable automatic cleanup/pruning until the workflow is trusted, run cleanup manually first, and keep backups of active task files and git branches.
If the user enables these schedules, the skill's monitoring and cleanup automation can run repeatedly in the background.
The documentation recommends user-configured scheduled monitoring, including recurring cron jobs or a macOS LaunchAgent.
openclaw cron add --name dev-team-monitor --cron "*/10 * * * *" --command scripts/check-agents.sh ... LaunchAgents ... StartInterval 600
Only add scheduled jobs after reviewing the scripts, document how to disable them, and periodically check active cron/LaunchAgent entries.
Repository code, diffs, and task prompts may be processed by Codex, Claude, Gemini, Cursor, or their configured accounts/services.
The review workflow sends PR diffs into multiple AI reviewer prompts, which is expected for this skill but can expose source code to external agent CLIs/providers.
`review-agent.sh` ... `默认三审:codex + gemini + claude` ... `自动抓取 gh pr diff 并注入 reviewer prompt`
Use this only on repositories whose code may be shared with those providers, and check each CLI's data-retention and privacy settings.
Users have less external provenance information to rely on before running high-impact local automation.
The package has limited provenance metadata and contains many runnable scripts despite no install spec or declared required binaries.
Source: unknown; Homepage: none; Slug: team-dev; Version: 0.1.4; No install spec — this is an instruction-only skill; 23 code file(s)
Review the full script contents, verify the publisher/source out of band, and confirm required local tools before installing or scheduling it.