← Back to Skills Marketplace
Openclaw Rd Pipeline
by
yinlihudong
· GitHub ↗
· v1.0.0
363
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-rd-pipeline
Description
Orchestrate OpenClaw end-to-end R&D delivery in Feishu from requirement intake to closure using PM, developer, reviewer, and tester subagents. Use when handl...
Usage Guidance
Do not install or enable this skill before getting clarifications and making configuration changes. Specifically: 1) Ask the author to list exactly which credentials and tokens are required (Feishu API token(s), Git account/token, CI credentials, any other service tokens) and to add them to requires.env/primary credential so you can review and provision scoped secrets. 2) Confirm where repository pushes and PRs will be made (which org/repo and which account) and insist on least-privilege tokens (repo-scoped, non-admin) and an audit trail. 3) Ask how Feishu access is scoped and whether chat/wiki reads are limited to the project group; sensitive chat history should be excluded or restricted. 4) Verify the dependency on the external "Superpowers" skill and review its permissions. 5) Test in a sandbox project with revoked or limited credentials before using in production. The validate_status_flow.py script appears benign (it only checks state transitions), but the orchestrated network/write operations require explicit, scoped credentials and documentation before this skill should be trusted.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-rd-pipeline
Version: 1.0.0
The skill bundle outlines a legitimate R&D workflow. However, the `SKILL.md` instructs the OpenClaw agent to execute `scripts/validate_status_flow.py` directly via `bash` with arguments. This direct shell execution (`bash <script> <args>`) introduces a potential shell injection vulnerability if the arguments (e.g., `--from-status`, `--to-status`, `--file`) are derived from untrusted user input without proper sanitization by the OpenClaw agent's runtime. While the Python script itself is benign and there is no evidence of intentional malicious behavior within the skill bundle, this execution pattern represents a significant security risk.
Capability Assessment
Purpose & Capability
The skill claims end-to-end orchestration that includes Feishu API access and Git repo operations (clone, push, open PR). However, the package declares no required environment variables, no primary credential, and no install steps for CLI/API clients. Legitimate operation of the described workflow would require Feishu credentials/API tokens and Git credentials (or a configured CI/automation account). This mismatch is an incoherence.
Instruction Scope
SKILL.md tells the agent to query Feishu group history, load wiki docs, create master/subtasks and update statuses, clone/update repositories, push branches, open PRs, and run lint/tests. Those instructions reach into external services and change state (Feishu, source control, CI). They also reference calling an external 'Superpowers' skill. The instructions do not limit or document which credentials/endpoints to use, nor do they restrict what historical/chat content may be read — increasing risk of unintended data exposure.
Install Mechanism
This is an instruction-only skill with no install spec. No packages are downloaded or extracted by the skill bundle, and the included script is a small local validator. From an installation standpoint there is no direct code download risk.
Credentials
The workflow clearly needs access to Feishu (to read history, create/update tasks) and Git repository credentials (to push branches and open PRs), yet requires.env and primary credential are empty. The absence of any declared credentials is disproportionate to the described operations and should be corrected — otherwise the agent would need to rely on ambient credentials or privileged runtime environment, which is risky.
Persistence & Privilege
always:false (default) and autonomous invocation permitted. Autonomous invocation is the platform default; taken alone this is fine, but combined with the other concerns (undisclosed external integrations and write actions) it raises the operational risk if the agent runs without explicit per-use consent or audit controls.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-rd-pipeline - After installation, invoke the skill by name or use
/openclaw-rd-pipeline - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of openclaw-rd-pipeline.
- Provides a deterministic, Feishu-driven R&D workflow with strict role boundaries for PM, developer, reviewer, and tester subagents.
- Automates requirement intake, structured parsing, project context enrichment, coding/PR flow, read-only review/testing gates, and bug handling.
- Integrates Feishu and git tools for status management, context building, and notification.
- Uses reference templates and a dedicated status validation script to ensure process consistency.
Metadata
Frequently Asked Questions
What is Openclaw Rd Pipeline?
Orchestrate OpenClaw end-to-end R&D delivery in Feishu from requirement intake to closure using PM, developer, reviewer, and tester subagents. Use when handl... It is an AI Agent Skill for Claude Code / OpenClaw, with 363 downloads so far.
How do I install Openclaw Rd Pipeline?
Run "/install openclaw-rd-pipeline" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Rd Pipeline free?
Yes, Openclaw Rd Pipeline is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw Rd Pipeline support?
Openclaw Rd Pipeline is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Rd Pipeline?
It is built and maintained by yinlihudong (@yinlihudong); the current version is v1.0.0.
More Skills