ClawHub
Bundle Pluginsource linked

OpenSpec Openclaw Pluginv0.1.1

OpenClaw plugin that integrates OpenSpec (@fission-ai/openspec) for spec-driven development inside OpenClaw sessions.

openspec-openclaw-plugin·runtime openspec-openclaw-plugin·by @juanclaw
openclaw bundles install clawhub:openspec-openclaw-plugin
Latest release: v0.1.1Download zip

Capabilities

Bundle format
generic
Tags
bundle-onlyformat:genericartifact:legacy-zip
Runtime ID
openspec-openclaw-plugin

Compatibility

Built With Open Claw Version
2026.5.7
Min Gateway Version
2026.5.7
Plugin Api Range
2026.5.7
Security Scan
VirusTotalVirusTotal
stale
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The OpenSpec integration is coherent, but `openspec_show` can include raw files and the implementation does not keep the resolved file-dump path inside `openspec/changes`, which is broader than the stated change/spec viewing purpose.
Instruction Scope
The bundled skill gives reasonable workflow guidance and anti-patterns, but it also normalizes mutating actions such as archive/update/init and uses confirmation-skipping archive flows, so users should review tool calls that modify project files.
Install Mechanism
There is no install spec, and the docs require a separate global `@fission-ai/openspec@latest` CLI on PATH; this is purpose-aligned but depends on an external, unpinned command.
!
Credentials
The plugin spawns a local CLI with user/model-supplied project paths and raw OpenSpec arguments; `allowedRoots` is opt-in and `readOnly` defaults off, so containment depends on user configuration.
Persistence & Privilege
The registered service declares no persistent state, but the tools can persistently modify project OpenSpec files through init, update, and archive unless read-only mode is enabled.
Scan Findings in Context
[suspicious.dangerous_exec] expected: The `child_process.spawn` finding is expected for a plugin whose purpose is to wrap the local `openspec` CLI, but the raw passthrough, Windows shell use, and weak file-path containment make it security-relevant.
What to consider before installing
Install only if you trust the local OpenSpec CLI and need this workflow. Before using it, pin the OpenSpec version, set `allowedRoots` to specific repositories, consider enabling `readOnly`, avoid `openspec_run` unless you approve the exact arguments, and do not use `includeFiles` on untrusted change names until the path-containment issue is fixed.
src/runner.ts:30
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/juanclaw/Openspec-Openclaw-Plugin
Commit
ab425f6a0afb
Tag
main
Provenance
No
Scan status
suspicious

Tags

latest
0.1.1

openspec-openclaw-plugin

OpenClaw plugin that integrates OpenSpec (@fission-ai/openspec) for spec-driven development inside OpenClaw sessions.

The plugin exposes a normalized tool surface so OpenClaw agents can drive the OpenSpec workflow (propose → validate → apply → archive) without shelling out manually. It ships a bundled skill (openclaw-skills:openspec) so any provider-backed agent picks up the right behaviour.

Why this plugin

OpenSpec officially supports ~25 AI coding assistants (Claude Code, Cursor, OpenCode, …) but not OpenClaw. Wiring OpenSpec into OpenClaw at the plugin layer means the integration is provider-agnostic — swap the underlying CLI/model and the workflow keeps working.

Install

Requires:

  • OpenClaw >= 2026.5.0
  • Node.js 20.19.0+
  • @fission-ai/openspec available on PATH (npm install -g @fission-ai/openspec@latest)
# from a built dist
openclaw plugins install clawhub:openspec-openclaw-plugin

# or from a local checkout
git clone https://github.com/jlivanmaseda-maker/openspec-openclaw-plugin
cd openspec-openclaw-plugin
npm install --omit=peer --omit=optional --ignore-scripts
npm run build
openclaw plugins install --link "$PWD"

Then restart the gateway: openclaw gateway restart.

Tools

ToolWraps
openspec_initopenspec init [path] [--tools …] [--profile …]
openspec_updateopenspec update [path]
openspec_listopenspec list [--specs] --json
openspec_showopenspec show <name> (plus optional file contents)
openspec_validateopenspec validate [name]
openspec_archiveopenspec archive <change-name> --yes
openspec_statusopenspec status [change-name]
openspec_runEscape hatch passthrough

Config

openclaw.jsonplugins.entries["openspec-openclaw-plugin"].config:

{
  "enabled": true,
  "command": "auto",
  "args": [],
  "env": {},
  "readOnly": false,
  "allowedRoots": [],
  "timeoutMs": 60000
}
KeyDefaultNotes
enabledtrueToggle the plugin without uninstalling.
command"auto"Override the openspec binary path.
args[]Extra default arguments prepended to every invocation.
env{}Extra environment variables for the spawned process.
readOnlyfalseBlock init, update, archive (and openspec_run mutators).
allowedRoots[]If non-empty, restrict every operation to projects inside these absolute roots.
timeoutMs60000Per-command timeout.

Skill

The bundled skill (src/skill/SKILL.md) ships under openclaw-skills:openspec. It teaches the agent when to invoke OpenSpec, the core workflow, and anti-patterns. Extended patterns live in src/skill/references/workflow.md.

License

MIT