God Mode Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s repo-tracking purpose is coherent, but it can use existing repo credentials and send AGENTS.md/commit data to LLM providers while some privacy and metadata disclosures understate that data flow.
Install only if you are comfortable granting the skill access to your configured repositories. Before running AGENTS.md analysis, confirm whether OpenClaw, Anthropic, OpenAI, or OpenRouter will receive the prompt. Review any AGENTS.md changes manually, and avoid curl-to-bash installs unless you inspect or pin the script first.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private repo instructions and development patterns could be shared with an external LLM provider during analysis.
The analysis flow may place complete AGENTS.md content and commit-derived context into OpenClaw or third-party LLM provider calls, but the artifacts do not clearly bound provider data handling or require a separate confirmation before using detected API keys.
god-mode automatically detects and uses the best available LLM: ... Anthropic ... OpenAI ... OpenRouter ... [prompt includes] Your complete AGENTS.md content
Before running agent analysis, confirm which LLM backend will be used, avoid setting API keys unless intended, and do not analyze sensitive private repositories unless provider sharing is acceptable.
Users may underestimate where their repository metadata, AGENTS.md content, or commit patterns can be sent.
This privacy wording can lead users to believe repo-derived data never leaves the machine, while other documented features call GitHub/Azure APIs and optional LLM providers for analysis.
- **All data stored locally** in `~/.god-mode/` - **No tokens stored** - uses your existing `gh` auth - **No telemetry** - nothing phones home
Revise the privacy section to distinguish local caching from intentional provider/API calls, and list exactly what data is sent to each external service.
The skill may read data from any repository accessible to the configured CLI/token, including private or work repositories.
The skill relies on existing account authentication or token environment variables to access repositories. This is purpose-aligned and says tokens are not stored, but it still uses delegated account authority.
Use CLIs users already authenticated: ... GitHub | `gh` ... Azure DevOps | `az` ... Fallback: `GITHUB_TOKEN`, `AZURE_DEVOPS_PAT`, `GITLAB_TOKEN` env vars.
Use least-privilege tokens/accounts where possible and only add repositories you want the skill to inspect.
Accepted changes could persistently alter how coding agents behave in the repository.
AGENTS.md is persistent agent instruction context. Updating it is central to the skill’s purpose, but incorrect or untrusted LLM suggestions could influence future agent behavior.
Fetches your AGENTS.md from the repository ... Displays recommendations interactively ... Optionally applies changes to your AGENTS.md
Manually review all AGENTS.md edits before applying or committing them.
A changed remote installer could run different code than the user expected.
The optional direct install path executes a remote script from the mutable main branch. It is user-directed, but it is less verifiable than a pinned release or reviewed local script.
curl -fsSL https://raw.githubusercontent.com/InfantLab/god-mode-skill/main/install.sh | bash
Prefer ClawHub installation or a pinned release/tag, and inspect install.sh before running it.