Spec Plan Build Review
Security checks across malware telemetry and agentic risk
Overview
This is an instruction-only software delivery workflow; it is coherent and disclosed, but users should be aware it includes commit, push, CI, release, and optional subagent review steps.
This skill appears safe as an instruction-only delivery workflow. Before installing or using it, be aware that the normal workflow may include reading repository context, running checks, committing, pushing, verifying CI, and preparing releases. Only use the shipping steps when you actually want remote repository or publication changes.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make persistent local and remote repository changes if the workflow reaches the shipping step.
These are high-impact repository and release actions. They are purpose-aligned with a delivery workflow, but they should be performed only when the user intends to ship.
Commit with a specific message.\n - Push and verify remote CI.\n - Create release artifacts only after CI is green.
Confirm before allowing commits, pushes, tags, releases, or publication, especially for production or public repositories.
Private code or task details could be shared with additional review agents in runtimes that support subagents.
The skill may use subagents for review when supported. This is aligned with the stated review purpose, but it can expand which agents see repository or task context.
If the runtime supports real subagents and the task is large enough, fan out independent review passes.
Use subagent review only in trusted environments and avoid sharing sensitive code or secrets with agents that should not receive them.