← Back to Skills Marketplace
142
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install spec-driven-dev
Description
在克隆的 Git 仓库中驱动完整的规格驱动开发生命周期(init→requirements→architecture→process_design→project_plan→coding→test→bugfix→code_review→release)。阶段门控、产物强制输出、多语言支持,内置 commit me...
Usage Guidance
This skill largely does what it says — orchestrates a spec-driven lifecycle inside a cloned Git repo — and requiring git plus a Git token is expected. However, there are three things to watch before installing or running it:
1) Token handling: The skill requires SPEC_DEV_GIT_TOKEN and claims it will not be written to artifacts/logs, yet its described flow constructs authenticated HTTPS URLs and uses the git credential helper (mentions ~/.git-credentials) and may push tags upstream. These steps commonly write tokens to disk or leave them in git metadata. Only supply a token with the minimum rights needed (preferably a token limited to the target repo and only to the required scopes). Consider using a short-lived token and be prepared to revoke it after use.
2) Undeclared environment variables & session capture: The SKILL.md reads OPENCODE_SESSION_ID, CLAUDE_SESSION_ID, and AGENT_SESSION_ID (not declared in requires.env). If your environment populates these, they may be written into checkpoint metadata. Verify whether you want these session IDs captured and stored in repo files.
3) Dynamic instruction loading & prompt-injection artifacts: The orchestrator will read auxiliary/skills/available_skills.xml and load SKILL.md files from the repository on-demand. That means repo contents can change the skill's behavior at runtime. Also, the pre-scan found unicode control characters — review the SKILL.md and any auxiliary SKILL.md files in the repo for obfuscated or malicious instructions before running.
Practical mitigations:
- Run the skill in a sandboxed environment or throwaway runner with access only to the intended repo. Do not run it with broad filesystem or network privileges.
- Provide a least-privilege PAT scoped to only the target repo and the minimal push/tag scopes; prefer short-lived tokens and rotate/revoke after use.
- Inspect and (if possible) lock the auxiliary/skills/* files in the repo so their contents are reviewed and trusted before allowing the orchestration to load them.
- Check ~/.git-credentials and git remote URLs after first run; prefer credential helpers that avoid persistent plaintext storage (credential cache or OS native helpers) or adjust the workflow to avoid writing token into files.
- If you require stronger assurance, request a code-based implementation (not instruction-only) so you can review exact commands executed, or run the skill step-by-step with manual confirmation for commits/pushes.
If you want, I can: (a) list the exact places the SKILL.md writes or could write secrets, (b) suggest a minimal PAT scope to use safely, or (c) point out exact lines in the SKILL.md that should be changed to avoid writing tokens to disk.
Capability Analysis
Type: OpenClaw Skill
Name: spec-driven-dev
Version: 1.0.1
The skill bundle implements a complex Git-driven development workflow that requires a sensitive 'SPEC_DEV_GIT_TOKEN'. While its behavior is aligned with the stated purpose, it performs high-risk actions such as persisting credentials to '~/.git-credentials' and executing shell commands (clone, push, reset) constructed from user-provided variables like 'git_remote' and 'us_id' (found in SKILL.md and spec-driven-checkpoint/SKILL.md). Although the instructions include 'Forbidden Behaviors' to prevent token leakage in logs, the reliance on string manipulation for shell execution and the handling of authentication tokens create a significant security risk if inputs are not perfectly sanitized by the agent.
Capability Assessment
Purpose & Capability
Requiring git and a Git PAT (SPEC_DEV_GIT_TOKEN) is coherent with a skill that clones, commits, tags, and pushes a repository. Optional username/email env vars are reasonable. No unrelated cloud credentials or unexpected binaries are requested.
Instruction Scope
SKILL.md instructs reading and writing many repo files, committing WIP, tagging, optionally pushing checkpoint tags, and dynamically loading other SKILL.md files from auxiliary/skills/* — expected for orchestration but dangerous because: (1) it reads environment variables not declared (OPENCODE_SESSION_ID, CLAUDE_SESSION_ID, AGENT_SESSION_ID) for Session ID capture; (2) it promises tokens are never written to artifacts/logs yet the checkpoint/save/clone flow describes using credential helper and constructing authenticated HTTPS URLs which commonly write tokens into ~/.git-credentials or remote URLs; (3) progressive loading of SKILL.md files from the repo means the skill will execute instructions whose content is governed by repository contents (dynamic behavior). The SKILL.md also contained unicode-control-chars flagged as potential prompt-injection, which could attempt to influence model parsing.
Install Mechanism
Install spec only suggests installing git via brew (formula: git). That's a standard, low-risk package source and matches the declared binary requirement. No arbitrary downloads or extracts are present.
Credentials
The single required secret SPEC_DEV_GIT_TOKEN is proportionate to operations that push/tags a remote; it is declared as primaryEnv. However, the instructions read additional environment variables (OPENCODE_SESSION_ID, CLAUDE_SESSION_ID, AGENT_SESSION_ID) that are not declared in requires.env. More importantly, the skill's operational steps imply writing credentials to ~/.git-credentials or embedding tokens in remote URLs — this conflicts with the SKILL.md's 'never write token to artifacts/logs' claim and risks token exposure via filesystem, git config, or remote URLs. The skill does not request unrelated credentials, but its handling of the token is underspecified and risky.
Persistence & Privilege
always:false and normal autonomous invocation are appropriate. However, the skill explicitly writes commits, tags, checkpoint documents into the repository and may write to the user's home (~/.git-credentials). Writing credentials to a home file is system-level persistence beyond the skill's own ephemeral state and increases blast radius if the token is mishandled. The skill does not request to modify other skills' configs, but dynamic loading of SKILL.md files from the repository elevates runtime scope.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install spec-driven-dev - After installation, invoke the skill by name or use
/spec-driven-dev - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
**v1.0.1 adds spec-driven-checkpoint skill integration and checkpoint/rollback support.**
- 新增对 `spec-driven-checkpoint` 子 Skill 的集成,可在任意阶段通过命令保存 checkpoint,并支持回滚至任意 checkpoint 以恢复 Git 状态和 Agent 上下文。
- 文档新增 checkpoint 相关的触发命令:`save_checkpoint-{us_id}`、`checkpoint-{us_id}`、`rollback {ckpt_id}`、`list_checkpoints-{us_id}` 等。
- 路径常量补充了 checkpoints 相关目录和文件:`requirements/{us_id}/docs/checkpoints/index.md`、`{ckpt_id}.md` 等。
- Skill 描述与执行协议部分同步说明 checkpoint 保存与恢复的能力。
- 其余生命周期和接口保持兼容。
v1.0.0
Initial release of spec-driven-dev: full-lifecycle, gated, and multi-language spec-driven development in a Git repository.
- Drives the entire development cycle: `init → requirements → architecture → process_design → project_plan → coding → test → bugfix → code_review → release`
- Enforces artefact output and stage-gating for each phase, with automated commit checks and LOGAF Checklist for code reviews
- Multi-language support and OpenSkills progressive loading; auto-injects structured progress checkpoints throughout workflow
- Built-in credential management for secure, token-based Git operations (supports GitHub, GitLab, Bitbucket, Gitea)
- All actions and artefacts tracked, with checkpoints and iteration summaries for every phase
- Extensive configuration via environment variables and context injection for project constraints and feedback
Metadata
Frequently Asked Questions
What is spec驱动开发vibe coding skill?
在克隆的 Git 仓库中驱动完整的规格驱动开发生命周期(init→requirements→architecture→process_design→project_plan→coding→test→bugfix→code_review→release)。阶段门控、产物强制输出、多语言支持,内置 commit me... It is an AI Agent Skill for Claude Code / OpenClaw, with 142 downloads so far.
How do I install spec驱动开发vibe coding skill?
Run "/install spec-driven-dev" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is spec驱动开发vibe coding skill free?
Yes, spec驱动开发vibe coding skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does spec驱动开发vibe coding skill support?
spec驱动开发vibe coding skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created spec驱动开发vibe coding skill?
It is built and maintained by 胡实 (@listenbehind); the current version is v1.0.1.
More Skills