← 返回 Skills 市场
486
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install spec-flow
功能描述
Spec-driven development workflow. Interactive phase-by-phase confirmation from proposal to implementation. Trigger: 'spec-flow', 'spec mode', 'need a plan',...
安全使用建议
This skill appears coherent for creating and managing specification documents and guiding implementation in a repo. Before installing and running: 1) Review the full contents of scripts/validate-spec-flow.py (not shown here) to ensure it doesn't call external endpoints or read unexpected files; 2) Be mindful that the Implementation phase implies the agent may execute tasks in your project — only allow 'execute all' or batch modes when you trust the generated tasks and the agent's behavior; 3) The skill will create and write files under .spec-flow/ in whatever workspace you run it in—run it from the intended repository; 4) If you keep sensitive data in your repo, verify the scripts do not upload or leak files (no evidence was found in the visible scripts); 5) If you want tighter control, prefer Step mode (default) so the agent stops for your confirmation between tasks.
功能分析
Type: OpenClaw Skill
Name: spec-flow
Version: 0.1.0
The skill's core purpose is a benign structured development workflow. However, it contains several vulnerabilities. The `scripts/execute-task.sh` script is vulnerable to shell injection via the `FEATURE_NAME` argument and potentially regex injection via task descriptions, as it directly uses unsanitized user-controlled input in `grep` and `sed` commands. Additionally, `scripts/validate-spec-flow.py` is vulnerable to path traversal, allowing it to read arbitrary files outside the intended spec directory. These flaws could allow an attacker to execute arbitrary commands or read sensitive files if they can control the input provided to the AI agent.
能力评估
Purpose & Capability
Name/description (Spec Flow, phase-by-phase spec authoring + implementation) matches the included files: SKILL.md, templates, references, and helper scripts for initializing and managing .spec-flow. There are no requested credentials, binaries, or config paths that are unrelated to authoring specs and managing the .spec-flow directory.
Instruction Scope
SKILL.md confines operations to the .spec-flow/ directory and mandates user confirmation at each phase. The runtime instructions explicitly read and write local files (proposal.md, requirements.md, design.md, tasks.md) and reference included reference docs. This is appropriate for the stated purpose, but the workflow includes an Implementation phase where the agent (when instructed by the user) may execute tasks; you should be aware that executing tasks could involve running tool calls or edits in your project repository when you tell the agent to do so (the skill enforces confirmation points and has a --fast option to bypass them only if explicitly requested).
Install Mechanism
No install spec (instruction-only) and included helper scripts are local shell/Python files. Nothing is pulled from external URLs or installed automatically. This is low-risk from an install/download perspective.
Credentials
The skill declares no required environment variables, credentials, or config paths. Some documentation (CONTRIBUTING.md) mentions an example env var (SPEC_FLOW_TEMPLATES) but neither SKILL.md nor the visible scripts require it; if you rely on environment-driven template overrides, inspect the code to confirm behavior. Overall, requested environment access is proportionate to the task.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent config in the reviewed files. It will create and modify a .spec-flow/ directory in the current project — that is expected and appropriate for its function.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install spec-flow - 安装完成后,直接呼叫该 Skill 的名称或使用
/spec-flow触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: introduces a structured, interactive, spec-driven workflow for complex feature development.
- Guides users through proposal, requirements, design, and task breakdown in distinct, confirmed phases
- Creates all documentation in Chinese under a dedicated `.spec-flow/` directory
- Supports optional global project context via steering documents
- Allows accelerated workflow (`--fast`) and skipping the design phase for simple features (`--skip-design`)
- Ensures user confirmation before proceeding to each next phase for accuracy and alignment
元数据
常见问题
Spec Flow 是什么?
Spec-driven development workflow. Interactive phase-by-phase confirmation from proposal to implementation. Trigger: 'spec-flow', 'spec mode', 'need a plan',... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 486 次。
如何安装 Spec Flow?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install spec-flow」即可一键安装,无需额外配置。
Spec Flow 是免费的吗?
是的,Spec Flow 完全免费(开源免费),可自由下载、安装和使用。
Spec Flow 支持哪些平台?
Spec Flow 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Spec Flow?
由 青雲(@echovic)开发并维护,当前版本 v0.1.0。
推荐 Skills