← Back to Skills Marketplace
486
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install spec-flow
Description
Spec-driven development workflow. Interactive phase-by-phase confirmation from proposal to implementation. Trigger: 'spec-flow', 'spec mode', 'need a plan',...
Usage Guidance
This skill appears coherent for creating and managing specification documents and guiding implementation in a repo. Before installing and running: 1) Review the full contents of scripts/validate-spec-flow.py (not shown here) to ensure it doesn't call external endpoints or read unexpected files; 2) Be mindful that the Implementation phase implies the agent may execute tasks in your project — only allow 'execute all' or batch modes when you trust the generated tasks and the agent's behavior; 3) The skill will create and write files under .spec-flow/ in whatever workspace you run it in—run it from the intended repository; 4) If you keep sensitive data in your repo, verify the scripts do not upload or leak files (no evidence was found in the visible scripts); 5) If you want tighter control, prefer Step mode (default) so the agent stops for your confirmation between tasks.
Capability Analysis
Type: OpenClaw Skill
Name: spec-flow
Version: 0.1.0
The skill's core purpose is a benign structured development workflow. However, it contains several vulnerabilities. The `scripts/execute-task.sh` script is vulnerable to shell injection via the `FEATURE_NAME` argument and potentially regex injection via task descriptions, as it directly uses unsanitized user-controlled input in `grep` and `sed` commands. Additionally, `scripts/validate-spec-flow.py` is vulnerable to path traversal, allowing it to read arbitrary files outside the intended spec directory. These flaws could allow an attacker to execute arbitrary commands or read sensitive files if they can control the input provided to the AI agent.
Capability Assessment
Purpose & Capability
Name/description (Spec Flow, phase-by-phase spec authoring + implementation) matches the included files: SKILL.md, templates, references, and helper scripts for initializing and managing .spec-flow. There are no requested credentials, binaries, or config paths that are unrelated to authoring specs and managing the .spec-flow directory.
Instruction Scope
SKILL.md confines operations to the .spec-flow/ directory and mandates user confirmation at each phase. The runtime instructions explicitly read and write local files (proposal.md, requirements.md, design.md, tasks.md) and reference included reference docs. This is appropriate for the stated purpose, but the workflow includes an Implementation phase where the agent (when instructed by the user) may execute tasks; you should be aware that executing tasks could involve running tool calls or edits in your project repository when you tell the agent to do so (the skill enforces confirmation points and has a --fast option to bypass them only if explicitly requested).
Install Mechanism
No install spec (instruction-only) and included helper scripts are local shell/Python files. Nothing is pulled from external URLs or installed automatically. This is low-risk from an install/download perspective.
Credentials
The skill declares no required environment variables, credentials, or config paths. Some documentation (CONTRIBUTING.md) mentions an example env var (SPEC_FLOW_TEMPLATES) but neither SKILL.md nor the visible scripts require it; if you rely on environment-driven template overrides, inspect the code to confirm behavior. Overall, requested environment access is proportionate to the task.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent config in the reviewed files. It will create and modify a .spec-flow/ directory in the current project — that is expected and appropriate for its function.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install spec-flow - After installation, invoke the skill by name or use
/spec-flow - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: introduces a structured, interactive, spec-driven workflow for complex feature development.
- Guides users through proposal, requirements, design, and task breakdown in distinct, confirmed phases
- Creates all documentation in Chinese under a dedicated `.spec-flow/` directory
- Supports optional global project context via steering documents
- Allows accelerated workflow (`--fast`) and skipping the design phase for simple features (`--skip-design`)
- Ensures user confirmation before proceeding to each next phase for accuracy and alignment
Metadata
Frequently Asked Questions
What is Spec Flow?
Spec-driven development workflow. Interactive phase-by-phase confirmation from proposal to implementation. Trigger: 'spec-flow', 'spec mode', 'need a plan',... It is an AI Agent Skill for Claude Code / OpenClaw, with 486 downloads so far.
How do I install Spec Flow?
Run "/install spec-flow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Spec Flow free?
Yes, Spec Flow is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Spec Flow support?
Spec Flow is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Spec Flow?
It is built and maintained by 青雲 (@echovic); the current version is v0.1.0.
More Skills