ClawHub

pm-workbench

v1.1.3

Use when product work needs clearer framing, prioritization, or communication: clarifying a vague request, evaluating whether a feature is worth doing, compa...

1· 73·1 current·1 all-time
byBobbie@bobbielee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name, SKILL.md, README, workflow references, templates, and examples all align with a PM workbench purpose. The only code present is a local validation script (scripts/validate-repo.js) whose behavior (checking docs and file wiring) is coherent with the stated install/validation guidance.
Instruction Scope
SKILL.md contains routing and behavioral rules for PM workflows and does not instruct the agent to access unrelated system files, environment variables, credentials, or external endpoints. The README suggests running local validation commands (npm run validate, openclaw skills check); those operate on local files only.
Install Mechanism
There is no install spec (instruction-only skill), lowering risk. The repository includes a local validation script run via npm run validate; that script performs purely local file reads and consistency checks. Because there is executable code in the repo, users should inspect scripts before running them, but there is no remote download or extract step in the skill metadata.
Credentials
The skill does not request environment variables, credentials, or config paths. Nothing in SKILL.md or the included scripts requires secrets or unrelated service access.
Persistence & Privilege
Skill flags show always: false and default autonomous invocation allowed (normal). The skill does not request permanent system presence or modify other skills or system-wide configs in the repo; local validation is self-contained.
Assessment
This skill appears coherent and low-risk: it is a documentation-and-prompt repo for PM workflows with a local Node.js validation script that only reads files and verifies links. Before installing or running anything: 1) review scripts/validate-repo.js yourself (it runs locally and performs file/link checks); 2) running npm run validate and openclaw skills check is recommended to verify the copy on your machine; 3) confirm you trust the skill source before allowing any agent to execute shell/npm commands on your system (agents can run commands if permitted); and 4) no API keys or credentials are required by this skill. If you need higher assurance, run the validation in an isolated environment or inspect the repository files first.

Like a lobster shell, security has layers — review code before you run it.

latestvk975zqw87xc7wn5jp8658ac61h84rcmb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments