← 返回 Skills 市场
Speckit Workflow for Openclaw
作者
Vinayak Verma
· GitHub ↗
· v1.0.3
744
总下载
0
收藏
1
当前安装
5
版本数
在 OpenClaw 中安装
/install speckit-workflow
功能描述
Complete Spec-Driven Development (SDD) orchestrator for OpenClaw. Initializes SpecKit and manages the full engineering lifecycle.
安全使用建议
This skill appears to do what it says (orchestrate Spec-Driven Development) and ships useful templates and bash scripts, but it will write files into your repository, create feature branches, and update many agent-specific files (CLAUDE.md, QWEN.md, .github/agents/..., .cursor rules, etc.). Before installing or enabling automated git operations: 1) Run it in a disposable or test repository first so you can observe what files it creates/overwrites; 2) Back up any existing agent configuration files or templates in your repo; 3) Confirm the agent asks you for explicit permission before performing git commit/push/branch creation and only grant that permission if you trust it; 4) If you do not want repository changes, choose 'No' to automated git operations — the skill will still write files locally but should not perform git commands if the agent follows the SKILL.md; 5) If you use other agent tooling, review update-agent-context.sh to see exactly which files it will create/update and adjust or sandbox accordingly. If you want me to, I can extract the list of all files the scripts may touch (including the truncated files) and point out exact lines that create/modify them.
功能分析
Type: OpenClaw Skill
Name: speckit-workflow
Version: 1.0.3
The skill bundle is designed for a complex development workflow, involving extensive file system modifications, Git operations (commits, pushes, branch creation), and external API calls (to GitHub for issue creation). While the main SKILL.md explicitly prompts the user for consent before performing Git operations, and subskills include safeguards like read-only modes and URL validation for external calls, several shell scripts (`check-prerequisites.sh`, `common.sh`, `setup-plan.sh`, `update-agent-context.sh`) use `eval $(get_feature_paths)`. This pattern, even with attempted sanitization, is a known shell injection vulnerability (RCE risk) if an attacker could control the input to `get_feature_paths`. Additionally, `update-agent-context.sh` uses `sed -i` with constructed patterns, which can also be vulnerable to injection. These vulnerabilities, though not indicative of malicious intent within the skill itself, pose significant risks if exploited, classifying the skill as suspicious.
能力评估
Purpose & Capability
Name/description (Spec-Driven Development orchestrator) align with included templates and bash scripts: creating specs, plans, tasks, feature directories, and delegating to subskills is expected. The README explicitly requires Git access (SSH/credential helper) which matches the scripts' use of git.
Instruction Scope
SKILL.md instructs the agent to copy the bundled .specify/ directory into the project and to spawn sub-agents for each phase — this is consistent with the stated workflow. However the runtime scripts (notably update-agent-context.sh) will create/update many repository-level agent files (CLAUDE.md, QWEN.md, .github/agents/copilot-instructions.md, .cursor rules, etc.). That behavior is within a plausible 'agent context' purpose, but it expands scope beyond just spec files: it modifies or creates files that could affect other agent integrations or workflows. Also the workflow assumes the agent will ask for and obey user permission for git actions, but enforcement is up to the agent (the code does run git commands like checkout, fetch).
Install Mechanism
Instruction-only skill with bundled scripts and templates — no network downloads, package installs, or external install URLs. The highest-risk install-types (downloading and executing arbitrary archives) are not used here.
Credentials
No environment variables or credentials are declared in the metadata. The scripts rely on standard git environment (SSH keys, credential helpers) and an optional SPECIFY_FEATURE env var. That is proportionate to a tool that manipulates repo branches and files. No unrelated secrets are requested.
Persistence & Privilege
The skill will create or update repository-level agent files (CLAUDE.md, QWEN.md, .github/agents/..., .cursor rules, etc.) and may create files at the project root. This can alter other agents' configurations or project metadata. While 'always' is false, the skill's scripts explicitly modify repository content and may run git operations (checkout, fetch, branch creation). Users should be aware it can change repository state and create/overwrite files that affect other tooling.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install speckit-workflow - 安装完成后,直接呼叫该 Skill 的名称或使用
/speckit-workflow触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
-reverted the changes that led to suspicious tag from openclaw
-removed constitution.md that shouldn't have been there
v1.0.2
- Added detailed security warnings and best practices for automated git operations, including risks of `git push`, recommendations for credential management, branch isolation, and change review.
- No functional or workflow changes; main update is enhanced documentation and guidance for safer use.
- Removed `.specify/memory/constitution.md` file, but with no impact on described workflow behavior.
v1.0.1
Version 1.0.1
📝 Changelog
Versioning Fix
- Corrected Versioning Scheme: Restored the v1.x lineage as v1.0.1. This fixes a regression where the versioning was temporarily lowered to
v0.1.4 to match upstream.
Security & Workflow
- Enhanced Git Consent: The initial user prompt now explicitly requests permission for branch creation, in addition to git commit and git push.
This ensures users are fully aware that the agent will manage feature branches.
- Refined Instructions: Updated SKILL.md to mandate this expanded consent question before any git operations occur.
Documentation
- Dependency Cleanup: Removed Python 3 from the documented requirements, verifying that the workflow operates purely on Bash and Git.
v0.1.4
- Added initial implementation of the speckit-workflow skill, including all required subskills and templates.
- Introduced security and version control prompt: agents must ask users to enable or disable automated git commit/push before proceeding.
- Clarified initialization: agents must copy the `.specify/` directory into the project root if missing.
- Updated orchestration instructions to delegate each workflow phase to local subskills in the `subskills/` directory.
- Improved instructions for implementation session management and clarified task chunking and state transition logic.
v1.0.0
- Initial release of speckit-workflow: a complete Spec-Driven Development (SDD) derived from github-speckit orchestrator for OpenClaw projects.
- Provides detailed instructions for initialization and workflow resumption, including platform-specific setup scripts.
- Orchestrates the full engineering workflow by delegating to phase-specific sub-agents using included SpecKit skills.
- Enforces canonical execution order: Constitution, Specify, Clarify (optional), Plan, Tasks, Analyze (optional), and Implement.
- Includes implementation session management guidelines for safe, incremental task execution and source control integration.
元数据
常见问题
Speckit Workflow for Openclaw 是什么?
Complete Spec-Driven Development (SDD) orchestrator for OpenClaw. Initializes SpecKit and manages the full engineering lifecycle. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 744 次。
如何安装 Speckit Workflow for Openclaw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install speckit-workflow」即可一键安装,无需额外配置。
Speckit Workflow for Openclaw 是免费的吗?
是的,Speckit Workflow for Openclaw 完全免费(开源免费),可自由下载、安装和使用。
Speckit Workflow for Openclaw 支持哪些平台?
Speckit Workflow for Openclaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Speckit Workflow for Openclaw?
由 Vinayak Verma(@vinayakv22)开发并维护,当前版本 v1.0.3。
推荐 Skills