← Back to Skills Marketplace
vinayakv22

Speckit Workflow for Openclaw

by Vinayak Verma · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
744
Downloads
0
Stars
1
Active Installs
5
Versions
Install in OpenClaw
/install speckit-workflow
Description
Complete Spec-Driven Development (SDD) orchestrator for OpenClaw. Initializes SpecKit and manages the full engineering lifecycle.
Usage Guidance
This skill appears to do what it says (orchestrate Spec-Driven Development) and ships useful templates and bash scripts, but it will write files into your repository, create feature branches, and update many agent-specific files (CLAUDE.md, QWEN.md, .github/agents/..., .cursor rules, etc.). Before installing or enabling automated git operations: 1) Run it in a disposable or test repository first so you can observe what files it creates/overwrites; 2) Back up any existing agent configuration files or templates in your repo; 3) Confirm the agent asks you for explicit permission before performing git commit/push/branch creation and only grant that permission if you trust it; 4) If you do not want repository changes, choose 'No' to automated git operations — the skill will still write files locally but should not perform git commands if the agent follows the SKILL.md; 5) If you use other agent tooling, review update-agent-context.sh to see exactly which files it will create/update and adjust or sandbox accordingly. If you want me to, I can extract the list of all files the scripts may touch (including the truncated files) and point out exact lines that create/modify them.
Capability Analysis
Type: OpenClaw Skill Name: speckit-workflow Version: 1.0.3 The skill bundle is designed for a complex development workflow, involving extensive file system modifications, Git operations (commits, pushes, branch creation), and external API calls (to GitHub for issue creation). While the main SKILL.md explicitly prompts the user for consent before performing Git operations, and subskills include safeguards like read-only modes and URL validation for external calls, several shell scripts (`check-prerequisites.sh`, `common.sh`, `setup-plan.sh`, `update-agent-context.sh`) use `eval $(get_feature_paths)`. This pattern, even with attempted sanitization, is a known shell injection vulnerability (RCE risk) if an attacker could control the input to `get_feature_paths`. Additionally, `update-agent-context.sh` uses `sed -i` with constructed patterns, which can also be vulnerable to injection. These vulnerabilities, though not indicative of malicious intent within the skill itself, pose significant risks if exploited, classifying the skill as suspicious.
Capability Assessment
Purpose & Capability
Name/description (Spec-Driven Development orchestrator) align with included templates and bash scripts: creating specs, plans, tasks, feature directories, and delegating to subskills is expected. The README explicitly requires Git access (SSH/credential helper) which matches the scripts' use of git.
Instruction Scope
SKILL.md instructs the agent to copy the bundled .specify/ directory into the project and to spawn sub-agents for each phase — this is consistent with the stated workflow. However the runtime scripts (notably update-agent-context.sh) will create/update many repository-level agent files (CLAUDE.md, QWEN.md, .github/agents/copilot-instructions.md, .cursor rules, etc.). That behavior is within a plausible 'agent context' purpose, but it expands scope beyond just spec files: it modifies or creates files that could affect other agent integrations or workflows. Also the workflow assumes the agent will ask for and obey user permission for git actions, but enforcement is up to the agent (the code does run git commands like checkout, fetch).
Install Mechanism
Instruction-only skill with bundled scripts and templates — no network downloads, package installs, or external install URLs. The highest-risk install-types (downloading and executing arbitrary archives) are not used here.
Credentials
No environment variables or credentials are declared in the metadata. The scripts rely on standard git environment (SSH keys, credential helpers) and an optional SPECIFY_FEATURE env var. That is proportionate to a tool that manipulates repo branches and files. No unrelated secrets are requested.
Persistence & Privilege
The skill will create or update repository-level agent files (CLAUDE.md, QWEN.md, .github/agents/..., .cursor rules, etc.) and may create files at the project root. This can alter other agents' configurations or project metadata. While 'always' is false, the skill's scripts explicitly modify repository content and may run git operations (checkout, fetch, branch creation). Users should be aware it can change repository state and create/overwrite files that affect other tooling.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install speckit-workflow
  3. After installation, invoke the skill by name or use /speckit-workflow
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
-reverted the changes that led to suspicious tag from openclaw -removed constitution.md that shouldn't have been there
v1.0.2
- Added detailed security warnings and best practices for automated git operations, including risks of `git push`, recommendations for credential management, branch isolation, and change review. - No functional or workflow changes; main update is enhanced documentation and guidance for safer use. - Removed `.specify/memory/constitution.md` file, but with no impact on described workflow behavior.
v1.0.1
Version 1.0.1 📝 Changelog Versioning Fix - Corrected Versioning Scheme: Restored the v1.x lineage as v1.0.1. This fixes a regression where the versioning was temporarily lowered to v0.1.4 to match upstream. Security & Workflow - Enhanced Git Consent: The initial user prompt now explicitly requests permission for branch creation, in addition to git commit and git push. This ensures users are fully aware that the agent will manage feature branches. - Refined Instructions: Updated SKILL.md to mandate this expanded consent question before any git operations occur. Documentation - Dependency Cleanup: Removed Python 3 from the documented requirements, verifying that the workflow operates purely on Bash and Git.
v0.1.4
- Added initial implementation of the speckit-workflow skill, including all required subskills and templates. - Introduced security and version control prompt: agents must ask users to enable or disable automated git commit/push before proceeding. - Clarified initialization: agents must copy the `.specify/` directory into the project root if missing. - Updated orchestration instructions to delegate each workflow phase to local subskills in the `subskills/` directory. - Improved instructions for implementation session management and clarified task chunking and state transition logic.
v1.0.0
- Initial release of speckit-workflow: a complete Spec-Driven Development (SDD) derived from github-speckit orchestrator for OpenClaw projects. - Provides detailed instructions for initialization and workflow resumption, including platform-specific setup scripts. - Orchestrates the full engineering workflow by delegating to phase-specific sub-agents using included SpecKit skills. - Enforces canonical execution order: Constitution, Specify, Clarify (optional), Plan, Tasks, Analyze (optional), and Implement. - Includes implementation session management guidelines for safe, incremental task execution and source control integration.
Metadata
Slug speckit-workflow
Version 1.0.3
License
All-time Installs 1
Active Installs 1
Total Versions 5
Frequently Asked Questions

What is Speckit Workflow for Openclaw?

Complete Spec-Driven Development (SDD) orchestrator for OpenClaw. Initializes SpecKit and manages the full engineering lifecycle. It is an AI Agent Skill for Claude Code / OpenClaw, with 744 downloads so far.

How do I install Speckit Workflow for Openclaw?

Run "/install speckit-workflow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Speckit Workflow for Openclaw free?

Yes, Speckit Workflow for Openclaw is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Speckit Workflow for Openclaw support?

Speckit Workflow for Openclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Speckit Workflow for Openclaw?

It is built and maintained by Vinayak Verma (@vinayakv22); the current version is v1.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments