PMP-Agentclaw

This skill appears to implement the advertised project-management features and does not request credentials or perform external network calls. Things to check before installing: - Verify source/repository: the package.json points to a GitHub URL but the registry metadata shows Source: unknown and Homepage: none. If possible, inspect the repository on GitHub (or obtain the author’s repository) and confirm it matches the package contents. - Clarify the SKILL.md 'install' metadata: SKILL.md contains an install entry (kind: download) but no download URL or install spec was provided in the registry — ask the publisher whether an external installer is required. Prefer building/installing from the code you reviewed rather than permitting an automatic remote download. - Run locally in an isolated environment first: build (npm install / npm run build) and run the CLI commands locally (node dist/cli/*) to confirm behavior. This also prevents any surprise network activity from an unreviewed installer. - Be cautious when supplying file or directory paths to the CLI (--file or projectDir): the CLI will read those files to compute EVM/risks/health — don't point it at system directories or credentials. Only provide project files you intend to analyze. - If you need higher assurance, review the omitted source files (remaining core/health implementation) and run the code through static scanners locally. Because no scan findings were detected in the provided metadata, that absence is not a guarantee — local verification is recommended. Overall: coherent and proportionate for a PM assistant, with a small metadata/install inconsistency to resolve and a general recommendation to verify the GitHub source and install from the reviewed code in a sandboxed environment.