← 返回 Skills 市场
Openclaw Rd Pipeline
作者
yinlihudong
· GitHub ↗
· v1.0.0
363
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-rd-pipeline
功能描述
Orchestrate OpenClaw end-to-end R&D delivery in Feishu from requirement intake to closure using PM, developer, reviewer, and tester subagents. Use when handl...
安全使用建议
Do not install or enable this skill before getting clarifications and making configuration changes. Specifically: 1) Ask the author to list exactly which credentials and tokens are required (Feishu API token(s), Git account/token, CI credentials, any other service tokens) and to add them to requires.env/primary credential so you can review and provision scoped secrets. 2) Confirm where repository pushes and PRs will be made (which org/repo and which account) and insist on least-privilege tokens (repo-scoped, non-admin) and an audit trail. 3) Ask how Feishu access is scoped and whether chat/wiki reads are limited to the project group; sensitive chat history should be excluded or restricted. 4) Verify the dependency on the external "Superpowers" skill and review its permissions. 5) Test in a sandbox project with revoked or limited credentials before using in production. The validate_status_flow.py script appears benign (it only checks state transitions), but the orchestrated network/write operations require explicit, scoped credentials and documentation before this skill should be trusted.
功能分析
Type: OpenClaw Skill
Name: openclaw-rd-pipeline
Version: 1.0.0
The skill bundle outlines a legitimate R&D workflow. However, the `SKILL.md` instructs the OpenClaw agent to execute `scripts/validate_status_flow.py` directly via `bash` with arguments. This direct shell execution (`bash <script> <args>`) introduces a potential shell injection vulnerability if the arguments (e.g., `--from-status`, `--to-status`, `--file`) are derived from untrusted user input without proper sanitization by the OpenClaw agent's runtime. While the Python script itself is benign and there is no evidence of intentional malicious behavior within the skill bundle, this execution pattern represents a significant security risk.
能力评估
Purpose & Capability
The skill claims end-to-end orchestration that includes Feishu API access and Git repo operations (clone, push, open PR). However, the package declares no required environment variables, no primary credential, and no install steps for CLI/API clients. Legitimate operation of the described workflow would require Feishu credentials/API tokens and Git credentials (or a configured CI/automation account). This mismatch is an incoherence.
Instruction Scope
SKILL.md tells the agent to query Feishu group history, load wiki docs, create master/subtasks and update statuses, clone/update repositories, push branches, open PRs, and run lint/tests. Those instructions reach into external services and change state (Feishu, source control, CI). They also reference calling an external 'Superpowers' skill. The instructions do not limit or document which credentials/endpoints to use, nor do they restrict what historical/chat content may be read — increasing risk of unintended data exposure.
Install Mechanism
This is an instruction-only skill with no install spec. No packages are downloaded or extracted by the skill bundle, and the included script is a small local validator. From an installation standpoint there is no direct code download risk.
Credentials
The workflow clearly needs access to Feishu (to read history, create/update tasks) and Git repository credentials (to push branches and open PRs), yet requires.env and primary credential are empty. The absence of any declared credentials is disproportionate to the described operations and should be corrected — otherwise the agent would need to rely on ambient credentials or privileged runtime environment, which is risky.
Persistence & Privilege
always:false (default) and autonomous invocation permitted. Autonomous invocation is the platform default; taken alone this is fine, but combined with the other concerns (undisclosed external integrations and write actions) it raises the operational risk if the agent runs without explicit per-use consent or audit controls.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-rd-pipeline - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-rd-pipeline触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of openclaw-rd-pipeline.
- Provides a deterministic, Feishu-driven R&D workflow with strict role boundaries for PM, developer, reviewer, and tester subagents.
- Automates requirement intake, structured parsing, project context enrichment, coding/PR flow, read-only review/testing gates, and bug handling.
- Integrates Feishu and git tools for status management, context building, and notification.
- Uses reference templates and a dedicated status validation script to ensure process consistency.
元数据
常见问题
Openclaw Rd Pipeline 是什么?
Orchestrate OpenClaw end-to-end R&D delivery in Feishu from requirement intake to closure using PM, developer, reviewer, and tester subagents. Use when handl... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 363 次。
如何安装 Openclaw Rd Pipeline?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-rd-pipeline」即可一键安装,无需额外配置。
Openclaw Rd Pipeline 是免费的吗?
是的,Openclaw Rd Pipeline 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Rd Pipeline 支持哪些平台?
Openclaw Rd Pipeline 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Rd Pipeline?
由 yinlihudong(@yinlihudong)开发并维护,当前版本 v1.0.0。
推荐 Skills