← Back to Skills Marketplace
SpecClaw
by
chanbistec
· GitHub ↗
· v0.6.1
· MIT-0
122
Downloads
0
Stars
0
Active Installs
7
Versions
Install in OpenClaw
/install specclaw
Description
Spec-driven development framework for OpenClaw. Propose features, generate specs, spawn coding agents, validate implementations.
Usage Guidance
This skill is powerful and generally coherent with its purpose, but proceed with caution:
- Review config.yaml before using: the skill will run test/lint/build commands and may auto-commit/merge; ensure commands are safe and auto-merge behavior is acceptable.
- External integrations (GitHub issue sync, Discord notifications) are mentioned but no credentials are declared. Inspect gh-sync.sh and notification-related scripts to see which environment variables or auth methods they use; supply credentials only if you trust the code and repository.
- The skill spawns coding agents that receive file contents (up to 500 lines per file). If your repo contains sensitive secrets, consider cleaning or isolating the repository (or disabling automation) before running builds.
- There's a small path inconsistency in the docs: SKILL.md sometimes references bash skill/scripts/*. The actual scripts are in scripts/. Confirm paths used at runtime (OpenClaw may mount skill files under a different root) so commands invoked by the agent will work as intended.
- Test in a disposable or sandbox repository first. Disable automation/cron until you’ve validated behavior. If you need the GitHub/Discord features, audit the specific scripts (gh-sync.sh, notification code) to confirm what tokens they read and how they transmit data.
If you'd like, I can: (1) list the exact places where external tokens would be needed (search gh-sync.sh, notification code), (2) scan the bundled scripts for code that posts to external endpoints or reads environment variables like GITHUB_TOKEN, DISCORD_WEBHOOK, etc., or (3) summarize what config.yaml options control auto-merge and automation.
Capability Analysis
Type: OpenClaw Skill
Name: specclaw
Version: 0.6.1
The specclaw skill bundle implements a complex spec-driven development framework that orchestrates sub-agents to automate code changes. It is classified as suspicious due to the use of 'eval' in 'scripts/build.sh' and 'scripts/verify.sh' to execute shell commands (test, lint, and build) defined in the 'config.yaml' file. This creates a significant Remote Code Execution (RCE) vulnerability if the configuration is manipulated. Additionally, 'scripts/gh-sync.sh' handles GitHub authentication tokens to interact with the GitHub API (api.github.com). While these capabilities are aligned with the stated purpose of a build and synchronization engine, the lack of input sanitization for executed commands represents a high-risk behavior without evidence of intentional malice.
Capability Assessment
Purpose & Capability
The scripts and runtime instructions match the stated purpose: orchestrating propose→plan→build→verify workflows, spawning coding agents, creating worktrees/branches, and committing changes. This level of file/VC operations is expected for a spec-driven build orchestrator. Note: the SKILL.md mentions optional GitHub sync and notification integrations (Discord), but the registry metadata declares no required credentials or config paths for those services — a gap between claimed capabilities and declared requirements.
Instruction Scope
Runtime instructions read repository files, generate context payloads (build-context.sh collects listed files up to 500 lines each), create/modify files in .specclaw and the project, spawn coding subagents, run git operations (branch/worktree creation, commits, merges), and run configured test/lint/build commands. All of this is consistent with the skill goal, but it implies the agent will be given broad read/write access to the repo and may run arbitrary build/test commands. The SKILL.md also describes an autonomous 'cron' automation mode that will run builds on a schedule — this is powerful and should be enabled only with care.
Install Mechanism
There is no install spec (instruction-only). Scripts are bundled in the skill and invoked by the agent (via exec). No external downloads/installs are requested by the skill itself, which reduces install-time risk. The presence of many bundled scripts is expected for an orchestrator.
Credentials
The skill declares no required environment variables or primary credential, yet the SKILL.md and templates reference optional GitHub sync (creating/updating Issues) and external notifications (e.g., Discord channels). Those integrations normally require tokens or credentials (GH PAT, Discord webhook/bot token) but none are declared in requires.env. That mismatch could mean the skill expects credentials to exist elsewhere (git remotes/SSH, local environment), or that gh-sync.sh / notification scripts will read undeclared env vars at runtime — both are notable. Also, the skill emits commands that will run your project's test/lint/build commands (configurable in config.yaml) which may require network access or credentials not surfaced by the skill metadata.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable. However it can spawn agents autonomously (default platform behavior) and SKILL.md documents an automation/cron mode that will run builds on its own schedule. Combined with the skill's ability to create branches/worktrees and commit/merge changes, this grants meaningful persistent capabilities over the repository when enabled. There is no sign it tries to modify other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install specclaw - After installation, invoke the skill by name or use
/specclaw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.6.1
Fix: gh-sync auth fallback (invalid token falls back to gh CLI). Fix: validate-change.sh enforces GitHub issue creation when github.sync is enabled.
v0.6.0
Phase validation guards: enforce propose→plan→build→verify→archive prerequisites. Configurable strict mode (workflow.strict). Change status inspector.
v0.5.0
Git worktrees: worktree-per-change strategy for parallel multi-change builds. Verification engine: evidence collection, agent-powered spec validation, structured reports.
v0.4.0
Verification engine: evidence collection, verify agent spawning, structured pass/fail reports, auto-verify after build, remediation suggestions. Also: gh-sync task checklist fix.
v0.3.0
GitHub Issues sync: one issue per change with task checklist, dual gh CLI + curl support, auto-sync across propose/plan/build/verify/archive
v0.2.0
Self-improvement features: build error journal with retry context, specclaw learn command, post-build review with scope deviation detection, cross-change pattern detection with auto-promotion
v0.1.0
Initial release: spec-driven development framework with build engine, wave-based parallel agent orchestration, git integration, task parsing, and status tracking
Metadata
Frequently Asked Questions
What is SpecClaw?
Spec-driven development framework for OpenClaw. Propose features, generate specs, spawn coding agents, validate implementations. It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.
How do I install SpecClaw?
Run "/install specclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SpecClaw free?
Yes, SpecClaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does SpecClaw support?
SpecClaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SpecClaw?
It is built and maintained by chanbistec (@chanbistec); the current version is v0.6.1.
More Skills