Enables AI agents to work on long-running projects across multiple sessions. Use when starting complex projects, resuming work on existing projects, managing...
Security Analysis
medium confidenceThe skill's instructions mostly match a long-running workflow, but there are some mismatches and missing declarations (undeclared external dependencies and unspecified network integration) that merit user review before installing.
The SKILL.md describes a project/workflow manager and the instructions (task.json, progress.txt, working on one task, git commits) are coherent with that purpose. However the manifest lists 'tools': ["gh"] and the README tells you to ensure the Claude Code CLI is installed — yet required binaries/env vars are empty. This mismatch between declared requirements and the instructions is unexpected.
Runtime instructions are focused on reading/writing local workflow files, optionally running an init.sh, running lint/build/tests, and making git commits — all reasonable for this purpose. The instructions also claim integration with an 'Agent Workflow Web App' (tasks sync with web database, session output logged) but provide no endpoints, credentials, or steps for that sync; that unspecified network behavior is worth flagging.
This is an instruction-only skill with no install script or downloaded code. The manifest's install destination is just a copy location. No archive downloads or third‑party packages are pulled by the skill itself.
The skill does not request any environment variables or credentials, but the SKILL.md requires external tools (Claude Code CLI) and references syncing to a web database. If those integrations require API keys or tokens, they are not declared here — the omission reduces transparency and could lead to unexpected credential use by supporting tooling or templates.
The skill does not request always:true or other elevated persistence. It does not declare modifications to other skills or system-wide settings. Normal autonomous invocation is allowed (platform default).
Guidance
This skill appears to implement a sensible long-running project workflow, but it has a few transparency issues you should check before installing: 1) Verify external dependencies: the SKILL.md asks you to have the Claude Code CLI configured and the manifest lists the GitHub CLI ('gh') — install and configure these yourself, and ensure you trust them. 2) Inspect any init.sh or template files before running them (they can execute arbitrary code). 3) Ask the author or inspect the referenced repository for details about the 'Agent Workflow Web App' integration — who hosts the web database, what endpoints are used, and what credentials (if any) are required. 4) Prefer skills that explicitly declare required binaries and environment variables; absence of those declarations here is the main reason for caution. If you can review the upstream repository or get confirmation about the web sync behavior and any required credentials, the risk assessment can be raised to higher confidence.
Latest Release
v1.1.1
Fix description: add explicit trigger phrases per Anthropic guidelines
More by @YonghaoZhao722
Published by @YonghaoZhao722 on ClawHub
