ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subagent Development

v1.0.0

Use when executing implementation plans with independent tasks in the current session

0· 927·3 current·5 all-time
by@wpank
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (subagent-driven development) match the instructions: orchestrating implementer/spec/quality-reviewer subagents to implement tasks, run tests, and commit changes. However, the skill expects access to a code workspace, git operations, and platform tooling (e.g., 'superpowers' tools and TodoWrite) while the registry metadata declares no required binaries, env vars, or config paths. That omission is notable but could be an omission rather than malicious intent.
!
Instruction Scope
SKILL.md and templates explicitly tell subagents to read plan files and implementation code, run tests, make commits, perform self-reviews, and 'Mark task complete in TodoWrite.' Those actions involve reading and modifying repository files and interacting with external services. The instructions do not include any steps that explicitly exfiltrate secrets, but they do give broad discretion to subagents to change code and call external platform services that are not fully specified.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. That lowers disk/remote-install risk — nothing is pulled or executed by an install step.
!
Credentials
The skill declares no required environment variables or credentials, yet its workflow implies needing repo access (git credentials), and access to platform-specific services (TodoWrite and 'superpowers' tools). These credentials/configs are not listed in requires.env or required config paths, creating a mismatch that could hide necessary permissions or external endpoints the subagents will use.
Persistence & Privilege
always is false (normal). The skill relies on dispatching autonomous subagents to perform many automated actions (commits, tests, external notifications). Autonomous invocation is platform-default and not flagged by itself, but combined with the other concerns this means the agent could automatically make persistent changes unless you limit permissions or require human approval.
What to consider before installing
Before installing or running this skill, consider the following: (1) It expects to read and modify your repository (run tests, commit). Only enable it in a controlled environment (e.g., a sandbox repo, feature branch, or fork). (2) Ask where 'TodoWrite' and 'superpowers' integrations communicate and whether API tokens will be required; do not provide your main account tokens—use a dedicated, limited-permission service account if needed. (3) Require human-in-the-loop or restrict autonomous actions (prevent automatic commits or make subagents produce patches for manual review). (4) Audit commits made by any subagents and review their diffs before merging. (5) If you lack confidence about hidden endpoints or required credentials, test the skill locally with network access disabled or run it against a throwaway repository first. If you plan to grant git/CI credentials, grant least privilege and rotate tokens after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7hzwc03q613s44ekc7dwxs80wkj1
927downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
@wpank
latest
Download

Subagent-Driven Development

Execute plan by dispatching fresh subagent per task, with two-stage review after each: spec compliance review first, then code quality review.

Core principle: Fresh subagent per task + two-stage review (spec then quality) = high quality, fast iteration

Installation

OpenClaw / Moltbot / Clawbot

npx clawhub@latest install subagent-development

When to Use

digraph when_to_use {
    "Have implementation plan?" [shape=diamond];
    "Tasks mostly independent?" [shape=diamond];
    "Stay in this session?" [shape=diamond];
    "subagent-driven-development" [shape=box];
    "executing-plans" [shape=box];
    "Manual execution or brainstorm first" [shape=box];

    "Have implementation plan?" -> "Tasks mostly independent?" [label="yes"];
    "Have implementation plan?" -> "Manual execution or brainstorm first" [label="no"];
    "Tasks mostly independent?" -> "Stay in this session?" [label="yes"];
    "Tasks mostly independent?" -> "Manual execution or brainstorm first" [label="no - tightly coupled"];
    "Stay in this session?" -> "subagent-driven-development" [label="yes"];
    "Stay in this session?" -> "executing-plans" [label="no - parallel session"];
}

vs. Executing Plans (parallel session):

  • Same session (no context switch)
  • Fresh subagent per task (no context pollution)
  • Two-stage review after each task: spec compliance first, then code quality
  • Faster iteration (no human-in-loop between tasks)

The Process

digraph process {
    rankdir=TB;

    subgraph cluster_per_task {
        label="Per Task";
        "Dispatch implementer subagent (./implementer-prompt.md)" [shape=box];
        "Implementer subagent asks questions?" [shape=diamond];
        "Answer questions, provide context" [shape=box];
        "Implementer subagent implements, tests, commits, self-reviews" [shape=box];
        "Dispatch spec reviewer subagent (./spec-reviewer-prompt.md)" [shape=box];
        "Spec reviewer subagent confirms code matches spec?" [shape=diamond];
        "Implementer subagent fixes spec gaps" [shape=box];
        "Dispatch code quality reviewer subagent (./code-quality-reviewer-prompt.md)" [shape=box];
        "Code quality reviewer subagent approves?" [shape=diamond];
        "Implementer subagent fixes quality issues" [shape=box];
        "Mark task complete in TodoWrite" [shape=box];
    }

    "Read plan, extract all tasks with full text, note context, create TodoWrite" [shape=box];
    "More tasks remain?" [shape=diamond];
    "Dispatch final code reviewer subagent for entire implementation" [shape=box];
    "Use superpowers:finishing-a-development-branch" [shape=box style=filled fillcolor=lightgreen];

    "Read plan, extract all tasks with full text, note context, create TodoWrite" -> "Dispatch implementer subagent (./implementer-prompt.md)";
    "Dispatch implementer subagent (./implementer-prompt.md)" -> "Implementer subagent asks questions?";
    "Implementer subagent asks questions?" -> "Answer questions, provide context" [label="yes"];
    "Answer questions, provide context" -> "Dispatch implementer subagent (./implementer-prompt.md)";
    "Implementer subagent asks questions?" -> "Implementer subagent implements, tests, commits, self-reviews" [label="no"];
    "Implementer subagent implements, tests, commits, self-reviews" -> "Dispatch spec reviewer subagent (./spec-reviewer-prompt.md)";
    "Dispatch spec reviewer subagent (./spec-reviewer-prompt.md)" -> "Spec reviewer subagent confirms code matches spec?";
    "Spec reviewer subagent confirms code matches spec?" -> "Implementer subagent fixes spec gaps" [label="no"];
    "Implementer subagent fixes spec gaps" -> "Dispatch spec reviewer subagent (./spec-reviewer-prompt.md)" [label="re-review"];
    "Spec reviewer subagent confirms code matches spec?" -> "Dispatch code quality reviewer subagent (./code-quality-reviewer-prompt.md)" [label="yes"];
    "Dispatch code quality reviewer subagent (./code-quality-reviewer-prompt.md)" -> "Code quality reviewer subagent approves?";
    "Code quality reviewer subagent approves?" -> "Implementer subagent fixes quality issues" [label="no"];
    "Implementer subagent fixes quality issues" -> "Dispatch code quality reviewer subagent (./code-quality-reviewer-prompt.md)" [label="re-review"];
    "Code quality reviewer subagent approves?" -> "Mark task complete in TodoWrite" [label="yes"];
    "Mark task complete in TodoWrite" -> "More tasks remain?";
    "More tasks remain?" -> "Dispatch implementer subagent (./implementer-prompt.md)" [label="yes"];
    "More tasks remain?" -> "Dispatch final code reviewer subagent for entire implementation" [label="no"];
    "Dispatch final code reviewer subagent for entire implementation" -> "Use superpowers:finishing-a-development-branch";
}

Prompt Templates

  • ./implementer-prompt.md - Dispatch implementer subagent
  • ./spec-reviewer-prompt.md - Dispatch spec compliance reviewer subagent
  • ./code-quality-reviewer-prompt.md - Dispatch code quality reviewer subagent

Example Workflow

You: I'm using Subagent-Driven Development to execute this plan.

[Read plan file once: docs/plans/feature-plan.md]
[Extract all 5 tasks with full text and context]
[Create TodoWrite with all tasks]

Task 1: Hook installation script

[Get Task 1 text and context (already extracted)]
[Dispatch implementation subagent with full task text + context]

Implementer: "Before I begin - should the hook be installed at user or system level?"

You: "User level (~/.config/superpowers/hooks/)"

Implementer: "Got it. Implementing now..."
[Later] Implementer:
  - Implemented install-hook command
  - Added tests, 5/5 passing
  - Self-review: Found I missed --force flag, added it
  - Committed

[Dispatch spec compliance reviewer]
Spec reviewer: ✅ Spec compliant - all requirements met, nothing extra

[Get git SHAs, dispatch code quality reviewer]
Code reviewer: Strengths: Good test coverage, clean. Issues: None. Approved.

[Mark Task 1 complete]

Task 2: Recovery modes

[Get Task 2 text and context (already extracted)]
[Dispatch implementation subagent with full task text + context]

Implementer: [No questions, proceeds]
Implementer:
  - Added verify/repair modes
  - 8/8 tests passing
  - Self-review: All good
  - Committed

[Dispatch spec compliance reviewer]
Spec reviewer: ❌ Issues:
  - Missing: Progress reporting (spec says "report every 100 items")
  - Extra: Added --json flag (not requested)

[Implementer fixes issues]
Implementer: Removed --json flag, added progress reporting

[Spec reviewer reviews again]
Spec reviewer: ✅ Spec compliant now

[Dispatch code quality reviewer]
Code reviewer: Strengths: Solid. Issues (Important): Magic number (100)

[Implementer fixes]
Implementer: Extracted PROGRESS_INTERVAL constant

[Code reviewer reviews again]
Code reviewer: ✅ Approved

[Mark Task 2 complete]

...

[After all tasks]
[Dispatch final code-reviewer]
Final reviewer: All requirements met, ready to merge

Done!

Advantages

vs. Manual execution:

  • Subagents follow TDD naturally
  • Fresh context per task (no confusion)
  • Parallel-safe (subagents don't interfere)
  • Subagent can ask questions (before AND during work)

vs. Executing Plans:

  • Same session (no handoff)
  • Continuous progress (no waiting)
  • Review checkpoints automatic

Efficiency gains:

  • No file reading overhead (controller provides full text)
  • Controller curates exactly what context is needed
  • Subagent gets complete information upfront
  • Questions surfaced before work begins (not after)

Quality gates:

  • Self-review catches issues before handoff
  • Two-stage review: spec compliance, then code quality
  • Review loops ensure fixes actually work
  • Spec compliance prevents over/under-building
  • Code quality ensures implementation is well-built

Cost:

  • More subagent invocations (implementer + 2 reviewers per task)
  • Controller does more prep work (extracting all tasks upfront)
  • Review loops add iterations
  • But catches issues early (cheaper than debugging later)

Red Flags

Never:

  • Skip reviews (spec compliance OR code quality)
  • Proceed with unfixed issues
  • Dispatch multiple implementation subagents in parallel (conflicts)
  • Make subagent read plan file (provide full text instead)
  • Skip scene-setting context (subagent needs to understand where task fits)
  • Ignore subagent questions (answer before letting them proceed)
  • Accept "close enough" on spec compliance (spec reviewer found issues = not done)
  • Skip review loops (reviewer found issues = implementer fixes = review again)
  • Let implementer self-review replace actual review (both are needed)
  • Start code quality review before spec compliance is ✅ (wrong order)
  • Move to next task while either review has open issues

If subagent asks questions:

  • Answer clearly and completely
  • Provide additional context if needed
  • Don't rush them into implementation

If reviewer finds issues:

  • Implementer (same subagent) fixes them
  • Reviewer reviews again
  • Repeat until approved
  • Don't skip the re-review

If subagent fails task:

  • Dispatch fix subagent with specific instructions
  • Don't try to fix manually (context pollution)

Integration

Required workflow skills:

  • superpowers:writing-plans - Creates the plan this skill executes
  • superpowers:requesting-code-review - Code review template for reviewer subagents
  • superpowers:finishing-a-development-branch - Complete development after all tasks

Subagents should use:

  • superpowers:test-driven-development - Subagents follow TDD for each task

Alternative workflow:

  • superpowers:executing-plans - Use for parallel session instead of same-session execution

Comments

Loading comments...