Production development workflow with TODO tracking, Graphite PRs, GitHub issues, Vercel deploy checks, and SMS notifications. Use when starting a new task, fixing bugs, implementing features, or any development work that needs tracked progress and code review.
Security Analysis
medium confidenceThe workflow instructions are mostly coherent for a developer, but there are mismatches between the skill's description/metadata and what the instructions actually require (missing declarations for CLIs, credentials, and an unexplained SMS capability), so caution is warranted.
The name/description mention TODO tracking, Graphite PRs, GitHub issues, Vercel deploy checks, and SMS notifications. The SKILL.md covers TODOs, Graphite (gt), GitHub (gh), and Vercel (vl) workflows but contains no mention of SMS configuration or how SMS notifications are sent. Registry metadata claims no required binaries or credentials, yet the instructions clearly require external CLIs (gt, gh, vl) and authenticated accounts. These gaps are incoherent with the stated purpose.
The SKILL.md is an instruction-only workflow that stays within a development workflow: editing TODO.md/CHANGELOG.md, using git/gt/gh/vl, and creating GH issues for failed deploys. It does not instruct reading unrelated system files or exfiltrating data. However it assumes the presence and authenticated state of several CLIs and that creating issues may include posting logs (potentially sensitive) without guidance on sanitization.
No install spec or code is present (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk install mechanism. The SKILL.md lists required tools but the registry metadata did not declare them as required binaries — an inconsistency but not an install risk.
The skill declares no required environment variables or primary credential, but the workflow depends on GitHub (gh), Graphite (gt), and Vercel (vl) CLIs which typically require authentication tokens/credentials. The description also mentions SMS notifications but the instructions and metadata provide no explanation or required SMS credentials (e.g., Twilio API keys). Requesting no credentials in metadata while implying credentialed actions is disproportionate and unclear.
always is false and the skill is user-invocable only; it does not request persistent presence or modify other skills. It operates only within the user's project directory and Git history as described.
Guidance
This skill is a text-only developer workflow and not executable code, but there are several inconsistencies you should resolve before relying on it: 1) Confirm the author/source (none provided). 2) The SKILL.md assumes you have and are authenticated to 'gt' (Graphite), 'gh' (GitHub), and 'vl'/'vercel' CLIs — make sure those tools are installed and you understand which accounts/tokens are used. 3) The description mentions SMS notifications but the instructions give no implementation or credential requirements — ask the publisher how SMS is sent and what credentials are needed. 4) When following instructions that create issues or post logs, review and sanitize any sensitive data (credentials, secrets, internal endpoints) before posting. 5) If you plan to use this skill in an automated agent, ensure the agent's access tokens follow least-privilege principles and that you are comfortable granting the agent access to the relevant repos/deploy systems. If the publisher cannot explain the SMS piece or why no credentials are declared, treat the skill as untrusted.
Latest Release
v0.1.0
Initial release of senior-dev, a production development workflow skill: - Provides a 12-step workflow for tracking tasks, code changes, and progress. - Integrates TODO tracking with `TODO.md` and changelogs with `CHANGELOG.md`. - Supports Graphite PRs, GitHub issues, and standardized branch naming conventions. - Includes automated Vercel deployment checks with real-time log fetch on failure. - Offers SMS-ready reporting and explicit post-merge steps. - Supplies tool recommendations: Graphite CLI, GitHub CLI, and Vercel watcher.
More by @michaelmonetized
Published by @michaelmonetized on ClawHub
