Project Methodology
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect, stale, or sensitive information in these files could influence future agent sessions.
The skill intentionally uses persistent project documentation as session memory and updates it across sessions.
Reads project memory files... docs/recaps/*.md, docs/plans/*.md... Writes recap files to docs/recaps/ and plan files to docs/plans/ ... Modifies project memory file 'Today's state' section when stale
Review recap, plan, and project-memory edits before accepting them, and avoid placing secrets or untrusted instructions in persistent project notes.
If a user approves credential checks too broadly, secrets or production connection details could be exposed to the agent context.
The skill may handle local credentials or environment details, but it explicitly requires current-turn user approval and forbids printing the contents.
Local env file (CLAUDE.local.md) — credentials and URLs. Do NOT read this file automatically... only after they confirm in the current turn. Never paste contents into chat output.
Approve CLAUDE.local.md access only for a specific need, prefer read-only or staging credentials, and do not ask the agent to print secret values.
If that local helper script is absent, modified, or untrusted, running it could produce misleading results or execute unreviewed local code.
The workflow optionally calls a local helper script that is not included in the provided skill artifacts.
python3 ~/.hermes/scripts/project-knowledge-index.py doctor 2>/dev/null | head -10
Before using the optional knowledge-graph check, verify the local script's source and contents, or skip that step.