Spec Plan Build Review
PassAudited by ClawScan on May 14, 2026.
Overview
This is a coherent instruction-only delivery workflow, but users should explicitly approve any commit, push, release, or publication steps.
This skill appears safe as a process guide for coding work. Before using its shipping steps, confirm the intended repository, branch, diff, tests, account credentials, version, and publication target. Treat commit, push, release, and ClawHub/GitHub publication as actions that require explicit user approval.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used for shipping, the agent may create persistent repository changes, trigger CI, or prepare public release outputs.
The skill can guide an agent to use version-control and release tooling that mutates a repository or publishes artifacts. This matches the stated delivery purpose and includes CI gating, but the actions are high-impact if run on the wrong branch or without user intent.
- Commit with a specific message. - Push and verify remote CI. - Create release artifacts only after CI is green.
Require explicit confirmation before commit, push, tag, release, or publication actions, and verify the diff, branch, remote, and version first.
The agent could act under the user's existing GitHub, Git, or ClawHub authority during release workflows.
Pushing to a remote repository or publishing to ClawHub may rely on existing account credentials and permissions, although the skill does not request or handle credentials itself.
- Push and verify remote CI. - ClawHub publish uses the same version as the repo release.
Use least-privileged credentials where possible and confirm the target account, repository, package, and version before allowing push or publish steps.
Large tasks may send code or review context to additional review agents supported by the runtime.
The skill may use subagents for review when supported. This is purpose-aligned, but project context may be shared within the agent runtime and the artifact does not define detailed subagent data boundaries.
If the runtime supports real subagents and the task is large enough, fan out independent review passes.
Avoid using subagent review on repositories containing sensitive material unless the runtime's data-sharing boundaries are acceptable.