Project Methodology
PassAudited by ClawScan on May 8, 2026.
Overview
This is a coherent project-workflow skill that mainly reads and writes project documentation, with explicit safeguards around credentials and database/API access.
This skill appears safe to install as an instruction-only project methodology. Before use, be aware that it will shape future sessions through project docs, recaps, and plans; review any proposed file writes, do not store secrets in shared docs, and only approve local credential or database/API checks for a specific current task.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect, stale, or sensitive information in these files could influence future agent sessions.
The skill intentionally uses persistent project documentation as session memory and updates it across sessions.
Reads project memory files... docs/recaps/*.md, docs/plans/*.md... Writes recap files to docs/recaps/ and plan files to docs/plans/ ... Modifies project memory file 'Today's state' section when stale
Review recap, plan, and project-memory edits before accepting them, and avoid placing secrets or untrusted instructions in persistent project notes.
If a user approves credential checks too broadly, secrets or production connection details could be exposed to the agent context.
The skill may handle local credentials or environment details, but it explicitly requires current-turn user approval and forbids printing the contents.
Local env file (CLAUDE.local.md) — credentials and URLs. Do NOT read this file automatically... only after they confirm in the current turn. Never paste contents into chat output.
Approve CLAUDE.local.md access only for a specific need, prefer read-only or staging credentials, and do not ask the agent to print secret values.
If that local helper script is absent, modified, or untrusted, running it could produce misleading results or execute unreviewed local code.
The workflow optionally calls a local helper script that is not included in the provided skill artifacts.
python3 ~/.hermes/scripts/project-knowledge-index.py doctor 2>/dev/null | head -10
Before using the optional knowledge-graph check, verify the local script's source and contents, or skip that step.