Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
senior-pm
v1.0.0Senior Project Manager for enterprise software, SaaS, and digital transformation projects. Specializes in portfolio management, quantitative risk analysis, r...
⭐ 1· 242·3 current·3 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, templates, sample data, and examples all match a portfolio/PM analysis skill — the included scripts (project_health_dashboard.py, risk_matrix_analyzer.py, resource_capacity_planner.py) are appropriate for the stated purpose. However, SKILL.md shows example commands using python3, yet the manifest declares no required binaries; this is an inconsistency (the agent/runtime will need Python to run the scripts).
Instruction Scope
The SKILL.md instructions are scoped to running the included Python scripts against provided JSON data and producing dashboards/reports. The instructions do not explicitly ask the agent to read unrelated system files, request secrets, or post results to external endpoints — based on the provided SKILL.md and asset files this stays within purpose. But the actual runtime behavior depends entirely on the contents of the bundled scripts, which were not provided for review in this submission.
Install Mechanism
No install spec is declared (instruction-only), which is lower risk. However, the skill bundle contains multiple sizable Python scripts that will be executed if invoked. Because there is no install step, no external code is downloaded at install time (good), but executing bundled scripts still runs code on the host — those files should be inspected for network calls, subprocess execution, or writes to unexpected paths.
Credentials
The skill declares no required environment variables or credentials, which is proportionate for a reporting/analysis tool. That said, the included scripts could still read environment variables or local files at runtime — you should verify the script sources to confirm they don't access secrets or unrelated config.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges in the metadata. Nothing indicates it will modify other skills or system-wide agent settings.
What to consider before installing
This skill appears coherent with its stated PM/reporting purpose, but there are two practical caution points: (1) SKILL.md demonstrates running 'python3 scripts/…' but the manifest lists no required binaries — ensure your environment will run Python 3 and validate that expectation. (2) The bundle contains three non-trivial Python scripts (not shown here). Before installing or running the skill, inspect those script sources (or request them) and check for: outbound network requests (HTTP, sockets), subprocess/exec usage, reading of arbitrary filesystem paths or environment variables, and any hard-coded remote endpoints. If you can't review the code, run the scripts in an isolated sandbox/container with only sample data and no secrets, and monitor network activity and filesystem writes. If you plan to run the skill against real project data containing sensitive budget/personnel information, confirm the scripts do not transmit data externally and consider sanitizing inputs. If you want, I can help list specific patterns to look for in the Python files or help review their source if you provide it.Like a lobster shell, security has layers — review code before you run it.
latestvk9751rssam1ws4gc8899cxbchn82qta3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.