Project Methodology
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: project-methodology Version: 1.0.1 The skill bundle implements a structured project management methodology (warmup, plan, build, recap, wrapup) for an AI agent. The instructions in SKILL.md and references/stale-data-verification.md are highly safety-conscious, explicitly forbidding the automatic reading or exfiltration of credentials from local environment files (CLAUDE.local.md) and requiring user approval for database queries. While it attempts to interface with a local indexing script (~/.hermes/scripts/project-knowledge-index.py), it does so for project context discovery and handles its absence gracefully.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect, stale, or sensitive information in these files could influence future agent sessions.
The skill intentionally uses persistent project documentation as session memory and updates it across sessions.
Reads project memory files... docs/recaps/*.md, docs/plans/*.md... Writes recap files to docs/recaps/ and plan files to docs/plans/ ... Modifies project memory file 'Today's state' section when stale
Review recap, plan, and project-memory edits before accepting them, and avoid placing secrets or untrusted instructions in persistent project notes.
If a user approves credential checks too broadly, secrets or production connection details could be exposed to the agent context.
The skill may handle local credentials or environment details, but it explicitly requires current-turn user approval and forbids printing the contents.
Local env file (CLAUDE.local.md) — credentials and URLs. Do NOT read this file automatically... only after they confirm in the current turn. Never paste contents into chat output.
Approve CLAUDE.local.md access only for a specific need, prefer read-only or staging credentials, and do not ask the agent to print secret values.
If that local helper script is absent, modified, or untrusted, running it could produce misleading results or execute unreviewed local code.
The workflow optionally calls a local helper script that is not included in the provided skill artifacts.
python3 ~/.hermes/scripts/project-knowledge-index.py doctor 2>/dev/null | head -10
Before using the optional knowledge-graph check, verify the local script's source and contents, or skip that step.