Plan Flow

Structured AI-assisted development workflows - discovery, planning, execution, code reviews, and testing

Key things to consider before installing: - Ledger behavior: The skill documents a persistent 'flow/ledger.md' that is updated silently and used to influence future behavior. Ask the author how ledger entries are controlled, whether sensitive content is filtered, and how to disable ledger recording. Prefer not to enable this on repositories that contain secrets or proprietary logic. - Autopilot / automated actions: The top-level SKILL.md encourages automated runs and even says 'Never ask "Ready to create plan?" — just do it.' but other files contain contradictory checkpoints. Confirm whether the agent will actually modify files, run builds, or make commits without explicit user approval. If you require explicit approval before changes, do not enable autopilot. - Storage of API keys: The README suggests creating .plan-flow.yml with an anthropic_api_key example. Do NOT commit API keys to the repo; instead store provider keys in a secure secret store or environment variables and add .plan-flow.yml to .gitignore. Ask the author for a secure configuration alternative. - GitHub CLI auth: review what gh auth scopes you grant. The skill requires gh for PR review; ensure the token/account used has minimal necessary scopes. - Test in an isolated repo: Try the skill in a disposable repository first to observe behavior (file writes, commits, whether ledger populates, autopilot actions). Verify no automatic commits or pushes occur unless you explicitly approve. - Clarify inconsistencies: The SKILL.md set contains contradictory rules about auto-chaining and when to pause. Ask the maintainer to clarify intended autopilot behavior and how to opt out of any background logging. If you are uncomfortable with a silent, persistent ledger or any automatic file-modifying behavior, do not install or enable autopilot until you have explicit controls (ability to opt out of ledger, disable autopilot by default, and require explicit consent before code changes or commits).

Type: OpenClaw Skill Name: plan-flow Version: 1.0.8 This skill bundle is suspicious due to significant prompt injection vulnerabilities and instructions that bypass user approval for critical actions. The main SKILL.md explicitly instructs the AI agent to "run without asking permission" and "Never ask... just do it" for the entire development workflow (discovery, planning, execution), creating a critical risk where a malicious input could lead to arbitrary code generation and execution (via `execute-plan`'s 'implement' or 'build verification' steps) without user consent. Additionally, the `ledger.md` (described in SKILL.md and ledger/SKILL.md) 'silently captures' and 'applies learnings', establishing a persistent prompt injection surface that could modify agent behavior over time. While there's no explicit evidence of intentional data exfiltration or backdoor installation, these instructions create severe vulnerabilities that could be exploited for remote code execution or unauthorized actions.