功能描述

世界顶级思维合集 —— 融合Google Staff Engineer、Martin Fowler/Kent Beck/Jeff Dean工程思维、Paul Graham/Sam Altman创业思维、Elon Musk创新思维、Stripe/Airbnb设计思维。v2.5.10：移除install.sh以完全消...

使用说明 (SKILL.md)

⚠️ 安全声明 | Security Notice

本技能为纯文档型技能（Documentation-only Skill）。

✅ 不包含任何可执行代码或外部 API 调用

✅ 不需要任何 API Key、凭证或 secrets

✅ 不访问网络、不读写用户文件（除标准 OpenClaw 工具调用外）

✅ 所有功能通过 AI 角色提示词（prompts）实现

✅ 无安装脚本，无外部依赖

提到的外部服务（GitHub、CI/CD、monitoring）仅用于：

在对话中提供最佳实践建议

指导用户如何配置这些服务

不直接调用这些服务的 API

gstack

Name: Gstack Openclaw
Author: leo-jiqimao

gstack for OpenClaw —— 把 Garry Tan 的虚拟工程团队带到 OpenClaw 生态

将 AI Agent 从一个通用助手转变为结构化工程团队的 8 个核心角色

🎯 设计理念

Garry Tan (YC CEO) 用 Claude Code + gstack 在 60 天内产出 60 万行代码。我们把它移植到 OpenClaw，让每个人都能拥有虚拟工程团队。

核心思想：不是把 AI 当工具用，而是当团队管 —— 每个阶段切换不同专家角色。

📦 包含技能

技能	角色	用途
`gstack:ceo`	CEO / 产品经理	产品规划、需求分析、痛点挖掘
`gstack:eng`	工程经理	架构设计、技术选型、数据流规划
`gstack:design`	设计评审师	设计评审、AI Slop检测、设计系统生成
`gstack:investigate`	系统调试专家	根因分析、3次失败停止、Bug调查
`gstack:security`	首席安全官	OWASP Top 10、STRIDE威胁建模
`gstack:land`	部署验证工程师	PR合并、生产部署、健康验证
`gstack:canary`	金丝雀监控工程师 ⭐ NEW	金丝雀分析、自动回滚决策
`gstack:benchmark`	性能基准工程师 ⭐ NEW	Core Web Vitals、性能回归检测
`gstack:review`	代码审查员	代码审查、Bug 发现、性能优化建议
`gstack:qa`	QA 负责人	测试策略、验收标准、质量把关
`gstack:ship`	发布工程师	发版 checklist、部署流程、上线检查
`gstack:browse`	浏览器测试	网页抓取、功能验证、UI 检查
`gstack:retro`	复盘师	项目复盘、经验总结、改进建议
`gstack:office`	办公室时间	需求澄清、方向校准、头脑风暴

🚀 快速开始

1. 安装

clawhub install openclaw/gstack

或手动安装：

git clone https://github.com/openclaw/gstack-openclaw ~/.openclaw/skills/gstack
cd ~/.openclaw/skills/gstack && ./install.sh

2. 使用

在项目根目录创建 GSTACK.md 文件，记录项目上下文。

然后随时调用：

示例命令：

@gstack:ceo 帮我分析一下这个功能的产品价值
@gstack:review 审查一下这个模块的代码
@gstack:ship 准备发布 v1.0.0

🎭 工作流示例

新功能开发流程

@gstack:office — 澄清需求，确定方向
@gstack:ceo — 产品规划，写 PRD
@gstack:design — 设计评审，生成设计系统
@gstack:eng — 技术架构设计
【开发中...】
@gstack:review — 代码审查
@gstack:qa — 测试验收
@gstack:ship — 发布上线
@gstack:retro — 一周后复盘

📁 项目结构

文件组织：

SKILL.md — 本文件（主技能描述）
README.md — 详细使用文档
GSTACK.md.template — 项目上下文模板
_skills/ — 子技能目录
- plan-ceo/ — CEO 技能
- plan-eng/ — 工程经理技能
- design/ — 设计评审技能 (v2.5.0)
- investigate/ — 系统调试技能 (v2.5.1)
- security/ — 安全审计技能 (v2.5.2)
- land/ — 部署验证技能 (v2.5.3)
- canary/ — 金丝雀监控技能 (v2.5.4) ⭐ NEW
- benchmark/ — 性能基准技能 (v2.5.5) ⭐ NEW
- review/ — 代码审查技能
- qa/ — QA 技能
- ship/ — 发布技能
- browse/ — 浏览器测试技能
- retro/ — 复盘技能
- office/ — 办公室时间技能
- docs/ — 文档技能
- test/ — 测试技能
- deploy/ — 部署技能
- init/ — 初始化技能
- status/ — 状态追踪技能
- github/ — GitHub 集成技能
- notify/ — 通知技能
docs/ — 文档目录
- workflow.md — 完整工作流指南
- philosophy.md — 设计理念

🙏 致谢

Garry Tan —— 原创 gstack 作者
Y Combinator —— 持续推动创业生态
OpenClaw 社区 —— 让 AI Agent 触手可及

📄 License

MIT License —— 完全免费，随意使用、修改、分发

我们的目标：让每个开发者都能拥有 YC 级别的工程团队

Made with 🦞 by OpenClaw Community

安全使用建议

Summary of what to check before installing or using this skill: - The package appears to be documentation-only and coherent with its stated purpose (role-based engineering guidance). That said, the repository/documentation contains contradictory lines: several places still show a manual install using './install.sh' while the changelog and SECURITY.md say install.sh was removed. Do NOT run arbitrary install scripts without inspecting them first. - Many examples in the subskills show runnable code that accesses network APIs, posts telemetry, or reads local browser state (e.g., Playwright page.evaluate retrieving localStorage). These are templates/examples — the skill itself doesn't declare credentials — but if you execute those examples (or grant the agent browser/control tooling), they could read local tokens or send data off-host. Only run such scripts in safe environments and avoid running browser automation against sites holding secrets or tokens. - Prefer the documented clawhub install path. If you must use manual install, inspect the repository on GitHub (https://github.com/openclaw/gstack-openclaw) and verify there is no install.sh or other executable you don't trust. Clone the repo and manually inspect files before executing anything. - Don't paste API keys, tokens, or other secrets into chat prompts. If you want the skill to reason about integrations, provision credentials separately to the appropriate official skills or tooling and grant the minimal scope required. - If you plan to use the 'browse' or automation examples, run them in a sandboxed/test environment and review any generated scripts for calls that send data externally (fetch/curl) or read local storage. - If you want higher assurance, ask the author/maintainers for confirmation (or open an issue) that the published package truly contains no install scripts or executables; verify the published tag/release on the GitHub repo matches the registry package. Why 'suspicious' and not 'malicious': There is no clear evidence of deliberate misdirection or hidden executables — the main issue is inconsistent documentation that could mislead less-technical users into running commands. Those inconsistencies and the presence of many actionable network examples justify caution.

功能分析

Type: OpenClaw Skill Name: gstack-openclaw Version: 2.5.10 The gstack-openclaw skill bundle is a documentation-only collection of AI agent prompts designed to simulate a professional engineering team (roles like CEO, SRE, and Security). The bundle contains no executable code, scripts, or external dependencies, and explicitly follows a 'documentation-only' security model as detailed in SECURITY.md. All files, including SKILL.md and sub-skill definitions in the _skills/ directory, consist of Markdown-based instructions and templates for the agent to provide best-practice guidance. There is no evidence of malicious intent, data exfiltration, or unauthorized system access.

能力标签

cryptocan-make-purchasesrequires-oauth-token

能力评估

ℹ Purpose & Capability

The skill's name/description (a role-driven engineering productivity kit) matches the provided content: many role-oriented SKILL.md files, templates and examples. It does not declare any required binaries, env vars, or credentials. The included examples show integrations with GitHub, CI, WebPageTest, PSI, Datadog, Prometheus, Playwright, etc., which are reasonable for a documentation skill that teaches integrations — but those examples reference API keys and network calls even though the top-level SKILL.md/SECURITY.md claim 'no external API calls'. This is plausible (examples for users), but the presence of those examples should be expected and is worth noting.

⚠ Instruction Scope

The main SKILL.md and SECURITY.md repeatedly claim the skill is documentation-only and does not perform network calls or run scripts. However: (1) multiple places (SKILL.md and README) still show manual install commands using git clone and './install.sh' despite changelog/SECURITY.md stating install.sh was removed in v2.5.10 — that inconsistency could mislead users into running a script that may not exist or may be different in other versions; (2) subskill docs include runnable code snippets that read local state (e.g., Playwright examples that read localStorage) and show examples that POST telemetry (fetch('/analytics')) or curl WebPageTest/PSI APIs (with API keys). Those are examples, not active code in the skill, but they provide actionable commands that — if executed by the user or an agent with tooling permissions — could access local tokens or external services. The SKILL.md also instructs creating GSTACK.md in the project root (a file write), which contradicts wording that it 'does not read/write user files' unless done via standard OpenClaw tools. Overall the instructions are mostly documentation, but the mixed messaging and executable examples are a scope concern.

ℹ Install Mechanism

There is no declared install specification and no code files to execute; the registry metadata indicates an instruction-only skill. The README and SKILL.md mention 'clawhub install' (expected) but also include 'git clone' plus './install.sh' commands — even though v2.5.10 claims install.sh was removed. Because there's no packaged install spec and no archive downloads, installation risk is low, but the leftover references to an install.sh are an inconsistency worth verifying before running any manual commands you find in the docs.

ℹ Credentials

The skill declares no required env vars or secrets (primaryEnv none). However many documentation examples show using service API keys (WebPageTest k=YOUR_API_KEY, PSI YOUR_API_KEY, Datadog/NewRelic examples, Kubernetes secretKeyRef). These are typical templates and do not mean the skill will request or exfiltrate credentials, but they do mean that using the documented integrations will require you to supply credentials elsewhere. The skill itself does not ask for credentials, which is proportionate, but the docs include code that could read local tokens (browser localStorage access) — users should not grant the agent tooling access to sensitive environments or secrets unless intended.

✓ Persistence & Privilege

The skill is not always-enabled (always:false) and does not request elevated persistence or modify other skills. Autonomous invocation is allowed (disable-model-invocation:false), which is normal. There is no evidence this skill attempts to change other skills or system-wide settings.

版本历史

v2.5.10

- Removed the install.sh script to completely eliminate ClawHub Suspicious warnings. - Updated documentation and security statements to reflect the removal of all executable scripts. - Now fully documentation-only: no installation scripts or external dependencies.

v2.5.9

gstack-openclaw v2.5.9 - 增加 install.sh 的详细安全说明，明确仅运行安全操作，方便用户审查 - 在 SKILL.md 及 SECURITY.md 中补充安全分析，消除 ClawHub Suspicious 警告 - 文档优化，无功能和接口变更

v2.5.8

- 修复 ClawHub 代码块渲染问题 - 将示例命令和工作流由表格或文本格式改为列表形式，增强可读性 - 更新描述，反映新版本变更

v2.5.7

gstack-openclaw 2.5.7 - 修复代码块渲染问题，提升文档在 ClawHub 上的可读性与展示效果 - 优化 README 和 SKILL.md 中的代码片段格式，使用更恰当的代码块语法

v2.5.6

- Added SECURITY.md and introduced a comprehensive security/clarity statement. - Updated SKILL.md and README.md to clarify that the skill is documentation-only, does not execute code, or require external access. - install.sh script scope clarified: only copies documentation files. - Addressed ClawHub security warnings by improving transparency.

v2.5.5

No code or documentation changes detected in this version. - No updates or modifications were made to files in version 2.5.5.

v2.5.4

gstack-openclaw v2.5.4 - 新增金丝雀监控技能（canary）与性能基准技能（benchmark），强化生产全链路监控与性能检测。 - README与SKILL文档同步完善，反映新技能和发布链路闭环能力。 - 项目结构中加入 canary/ 与 benchmark/ 目录。

v2.5.3

v2.5.3 新增部署验证技能，提升上线任务自动化 - 新增 gstack:land「部署验证工程师」角色：实现PR合并、生产部署、健康验证一键完成 - 更新文档，详细介绍 land 技能的用途和工作流位置 - 项目结构中加入 _skills/land/ 目录

v2.5.2

v2.5.2 introduces a new security audit skill to the gstack skillset. - 新增“安全审计技能” (`gstack:security`)，支持 OWASP Top 10 与 STRIDE 威胁建模 - 项目描述与文档同步更新，强调零误报安全扫描 - 项目目录增加 `_skills/security/` 子目录用于安全能力扩展

v2.5.1

gstack-openclaw v2.5.1 - 新增 “系统调试” 技能（gstack:investigate）：支持科学根因分析、3次失败自动停止、协助Bug调查 - 工作流与文档中同步更新了调试技能相关内容 - 项目结构中加入 investigate/ 调试子目录

v2.5.0

v2.5.0 adds design review capabilities and design tooling: - 新增「设计评审师」角色 (`gstack:design`) - 支持设计评审、AI Slop 检测与完整设计系统自动生成 - 项目结构增加 _skills/design/，文档同步更新 - 新工作流纳入设计流程，提升团队协作与工程完整性

v2.4.0

gstack-openclaw 2.4.0 brings a full-feature update: - 新增完整 ASCII 架构图展现 - 推出“10-Star体验”理念，优化用户流程 - 增加探索性测试能力 - 增补完整性缺口检查 - 多文档内容同步升级

v2.3.0

gstack-openclaw v2.3.0 brings several new features and improvements: - 新增工作流 feed 机制，提升工作流透明度与协作效率 - 增加 Auto-fix 能力，支持自动修复常见问题 - 引入 6 个强制性问题，加强决策审核与流程规范 - 提供 3 种实现方案，丰富工程决策选项

v2.2.0

gstack-openclaw 2.2.0 introduces major updates for workflow, roles, and integration: - 深度优化 10 个角色，完善职责分工 - 新增 YC 决策模式、专家对标体系 - 增强与 OpenClaw 工作流的集成能力 - 优化技能文档与使用说明

v1.2.0

v1.2.0: QA角色深度融合Google SET/测试架构师思维 - Google测试金字塔、可测试性设计、TDD三定律、探索性测试、测试策略模板、质量度量指标、混沌测试。

v1.1.0

v1.1.0: Review role深度融合Google Staff Engineer代码审查思维 - Google CR黄金法则、知识传递文化、阻塞/建议/赞赏分级评论、安全/性能/可维护性审查清单、通过CR培养团队文化。

v1.0.0

v1.0.0: Review role深度融合Google Staff Engineer代码审查思维 - CR黄金法则、5种评论类型、设计/正确性/性能/安全/可维护性审查清单、知识传递文化、Staff Engineer领导力原则。

v0.9.0

v0.9.0: Eng role深度融合Martin Fowler、Kent Beck、Jeff Dean的软件架构思维 - 简单设计四原则、演进式架构、TDD三定律、SLA/SLO/SLI可靠性工程、微服务/事件驱动/Serverless架构模式、性能数字清单。

v0.8.0

v0.8.0: Office role深度融合Paul Graham & Sam Altman的YC导师思维 - 创业想法筛选标准、最难问题清单、PMF识别方法、12周冲刺计划、YC申请表框架。

v0.7.0

v0.7.0: CEO role深度融合Elon Musk思维模式 - 第一性原理、长期主义、规模化思维、物理思维、使命感驱动、快速迭代。新增马斯克风格对话示例。

元数据

Slug gstack-openclaw

版本 2.5.10

许可证 MIT-0

累计安装 4

当前安装数 4

历史版本数 26

常见问题

Gstack Openclaw 是什么？

世界顶级思维合集 —— 融合Google Staff Engineer、Martin Fowler/Kent Beck/Jeff Dean工程思维、Paul Graham/Sam Altman创业思维、Elon Musk创新思维、Stripe/Airbnb设计思维。v2.5.10：移除install.sh以完全消... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1130 次。

如何安装 Gstack Openclaw？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install gstack-openclaw」即可一键安装，无需额外配置。

Gstack Openclaw 是免费的吗？

是的，Gstack Openclaw 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Gstack Openclaw 支持哪些平台？

Gstack Openclaw 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Gstack Openclaw？

由 leo-jiqimao（@leo-jiqimao）开发并维护，当前版本 v2.5.10。

Gstack Openclaw