功能描述

Autonomously breaks coding tasks into spec, plan, code, and QA phases, executing all heavy work via Claude Code with multi-account rate limit rotation.

使用说明 (SKILL.md)

FlowForge

Name: FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA)
Author: windseeker1111

Autonomous spec → plan → code → QA pipeline powered by Claude Code. All heavy computation runs through Claude Code (Max subscription). OpenClaw only orchestrates.

Architecture

Flo (minimal tokens) → shell pipeline → Claude Code (all heavy work)
                                              ↓
                                   Account rotation on rate limit

Workflow Types

Classify the task before planning — each type has a different phase structure:

Type	When	Phase Order
`feature`	New capability	Backend → Worker → Frontend → Integration
`refactor`	Restructure existing code	Add New → Migrate → Remove Old → Cleanup
`investigation`	Bug hunt	Reproduce → Investigate → Fix → Harden
`migration`	Move data/infra	Prepare → Test → Execute → Cleanup
`simple`	Single-file change	Just subtasks, no phases

Steps

1. Setup workspace

bash ~/clawd/skills/flowforge/scripts/init_forge.sh "\x3Ctask_description>" "\x3Crepo_path>"

Creates ~/.forge/\x3Ctimestamp>/ with task.md.

2. Clarification checkpoint (required before spec)

Before running the pipeline, ask 2–4 targeted questions to resolve ambiguity. Do not ask for information already in task.md. Focus on:

Scope edge cases — "Does this include X, or is that a separate shape?"
Constraints — "Any files that are frozen / must not be touched?"
Integration points — "Which existing module owns this responsibility?"
Success definition — "What does passing look like — a test, a manual check, a metric?"

Present questions in a numbered list. Wait for answers before proceeding. If the task is unambiguous (e.g., a single-file fix from a clear issue), skip this step and note "No clarification needed."

Save answers to ~/.forge/\x3Ctimestamp>/clarifications.md for reference during spec + plan phases.

3. Run the pipeline

bash ~/clawd/skills/flowforge/scripts/run_forge.sh ~/.forge/\x3Ctimestamp>/

This chains 4 Claude Code calls:

Spec — generates spec.md incorporating clarifications (high thinking)
Plan — generates implementation_plan.json (high thinking)
Code — executes each subtask with verification (medium thinking)
QA — reviews output, scores against spec (high thinking)

Each step saves output to the workspace directory. Claude Code does ALL the work.

4. Monitor

Poll workspace for completion:

tail -f ~/.forge/\x3Ctimestamp>/progress.log
cat ~/.forge/\x3Ctimestamp>/qa_report.md

Account Rotation

Three Claude Max accounts rotate automatically on rate limit:

[email protected]  →  [email protected]  →  [email protected]  →  retry

Configure your accounts in ~/.flowforge/accounts.txt (one email per line). Save credentials per account in ~/.claude/accounts/\x3Cemail>.json. Switch accounts with: bash \x3Cskill-dir>/scripts/rotate_account.sh

GitHub Issues

To pull a task from a GitHub issue:

gh issue view \x3Cnumber> --repo \x3Cowner>/\x3Crepo> --json title,body | \
  jq -r '"# " + .title + "\
\
" + .body' > ~/.forge/\x3Ctimestamp>/task.md

Then run the pipeline normally.

Output

On completion, workspace contains:

clarifications.md — pre-spec Q&A (scope, constraints, integration points)
spec.md — full specification (incorporates clarifications)
implementation_plan.json — phases + subtasks with status
qa_report.md — QA review and score
project-context.md — session handoff note (decisions made, patterns established, what next session needs to know)
progress.log — timestamped execution log

Optional: Rubric Scoring (200 criteria)

Add --rubric flag for high-stakes runs. Scores against a universal 200-criterion quality rubric after the spec-based QA pass:

bash ~/clawd/skills/flowforge/scripts/run_forge.sh ~/.forge/\x3Ctimestamp>/ --rubric

Rubric covers: Architecture (40), Code Quality (40), Testing (40), Error Handling (30), Security (20), Documentation (15), Observability (15).

Verdict thresholds: ≥180 = Ship it | 150–179 = Needs work | \x3C150 = Major rework

Skip --rubric for quick tasks. Use it before shipping to production.

Prompts

See references/spec-prompt.md, references/planner-prompt.md, references/qa-prompt.md, references/rubric-prompt.md for the full Claude Code prompts used at each stage.

安全使用建议

Key things to consider before installing/using FlowForge: - Expect required binaries: the skill relies on the 'claude' CLI (and likely 'gh', 'jq', and 'openclaw') even though metadata lists none. Install and audit those tools first. - Credential handling: the skill asks you to store multiple Claude credential JSON files under ~/.claude/accounts and to copy them into ~/.claude/.credentials.json to rotate accounts. That copies sensitive authentication material in cleartext on disk and programmatically swaps them—only proceed if you understand and accept that risk. - Data exposure: run_forge.sh builds prompts containing repo listings/specs and invokes Claude Code. That sends your repository contents (and task descriptions) to external Claude Code sessions. Do NOT run this against private or sensitive repos unless you trust the endpoints and accept the policy/privacy implications. - Dangerous flag: the scripts call 'claude --dangerously-skip-permissions', which explicitly bypasses CLI permission safeguards—this is a red flag. Ask why it's needed and whether safer CLI options exist. - Metadata mismatch: the skill metadata should declare required binaries and sensitive file paths. The absence of those declarations is an incoherence; treat the skill as requiring manual review before use. - Operational/legal: rotating multiple accounts to evade rate limits may violate service terms; review Claude/Anthropic usage policies. What you can do before running: - Audit the 'claude' CLI binary you will use and understand what data it sends. - Store credentials in a secure place (encrypted) and avoid leaving multiple active credential files if possible. - Run the scripts in a throwaway/local clone of non-sensitive repos first to observe behavior. - Consider removing or modifying the '--dangerously-skip-permissions' flag and the automatic credential-copy logic, and require explicit manual account switching instead. If you want, I can produce a short patch that (a) updates SKILL.md metadata to list required binaries and file paths, (b) replaces automatic credential copying with an explicit, safer prompt for switching, and (c) removes or documents the dangerous flag usage so you can review alternatives.

功能分析

Type: OpenClaw Skill Name: flowforge Version: 1.1.0 FlowForge is an autonomous coding pipeline that implements high-risk automation patterns, specifically the use of the `--dangerously-skip-permissions` flag in `run_forge.sh` to bypass Claude Code's interactive security prompts. It also includes a credential rotation mechanism in `rotate_account.sh` that programmatically swaps Claude authentication tokens (`.credentials.json`) to circumvent rate limits. While these features align with the tool's stated purpose of autonomous development, the combination of credential manipulation and unconstrained shell execution creates a significant prompt-injection attack surface where a malicious GitHub issue or task description could lead to unauthorized system access or data loss.

能力评估

⚠ Purpose & Capability

The README/SKILL.md claim no required env vars/binaries, but the scripts and instructions require several external CLIs (claude, gh, jq, openclaw) and access to local credential files. Asking users to store multiple Claude account credential JSONs and rotating them is directly related to the stated multi-account rate-limit goal, but the skill metadata incorrectly declares 'none' for required binaries/env—an incoherence that hides needed privileges and dependencies.

⚠ Instruction Scope

run_forge.sh builds large prompts that include repo listings and spec contents and sends them to Claude Code via 'claude --dangerously-skip-permissions --print'. The pipeline reads repository files, writes a workspace under ~/.forge/, reads/writes ~/.flowforge/accounts.txt and ~/.claude/accounts/*.json, and copies chosen credential files into ~/.claude/.credentials.json. All of that is within the claimed function (having the LLM read the codebase and implement changes), but it also means potentially broad exfiltration of repository contents and local credential material to external LLM sessions. The SKILL.md instructs copying credentials and saving them in predictable locations with no encryption or access controls.

ℹ Install Mechanism

There is no install spec (instruction-only), so no remote downloads — that's lower risk. However, the package assumes installed CLIs (claude, gh, jq, openclaw) without declaring them. That mismatch (no required binaries declared vs. obvious runtime dependencies) is an integrity problem: users may install this expecting no extras, but the scripts will fail or behave insecurely when run.

⚠ Credentials

The skill declares no required credentials or env vars, yet it requires users to create and store multiple Claude credential JSON files in ~/.claude/accounts and a rotation list in ~/.flowforge/accounts.txt. It also uses an openclaw CLI event call. Requesting and programmatically copying local credential files (to switch active account) is a high-sensitivity operation and should have been declared and justified explicitly. No guidance is provided for protecting those credential files.

ℹ Persistence & Privilege

The skill does not set always:true and does not modify other skills' config, which is good. It does create persistent workspaces under ~/.forge/ and expects persistent account files under ~/.claude/accounts/. The act of copying credential JSON into the active credential path is persistent and sensitive but contained to the user's home directory — notable but not an explicit platform privilege escalation. The use of '--dangerously-skip-permissions' in claude calls increases the blast radius by bypassing CLI permission checks.

版本历史

v1.1.0

Autonomous AI coding pipeline. Breaks any task into Spec, Plan, Code, QA loop and executes via Claude Code. Multi-account rotation for rate limits. Use for features, refactors, bug fixes, or GitHub issues.

v1.0.0

Initial public release — autonomous Spec→Plan→Code→QA pipeline via Claude Code

元数据

Slug flowforge

版本 1.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA) 是什么？

Autonomously breaks coding tasks into spec, plan, code, and QA phases, executing all heavy work via Claude Code with multi-account rate limit rotation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 417 次。

如何安装 FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA)？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install flowforge」即可一键安装，无需额外配置。

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA) 是免费的吗？

是的，FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA) 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA) 支持哪些平台？

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA) 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA)？

由 windseeker1111（@windseeker1111）开发并维护，当前版本 v1.1.0。

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA)