PMP-Agentclaw
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent project-management helper, with no artifact-backed malicious behavior, but users should notice its local health-check commands and optional multi-agent delegation features.
Before installing, confirm you trust the package source, run health checks only on intended project folders, and be cautious with multi-agent delegation if your project contains confidential business, budget, or stakeholder information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run in the wrong folder, the skill may inspect local project files that the user did not intend to include in a health check.
The health-check command operates on a user-provided directory, defaulting to the current directory. This fits the project-health purpose, but users should run it only against intended project folders.
const projectDir = args.find(a => !a.startsWith('--')) || '.';
const resolvedDir = path.resolve(projectDir);
const result = checkHealth({ projectDir: resolvedDir });Run health checks with an explicit project directory and avoid invoking them from folders containing unrelated sensitive files.
The assistant may perform project-health checking automatically when sessions begin, depending on how OpenClaw applies this configuration.
The plugin declares automatic health checks by default. This is project-management aligned, but it is worth noticing because it can cause health-check behavior at session start rather than only after an explicit command.
"autoHealthCheck": {
"type": "boolean",
"default": true,
"description": "Run health check at start of each session"
}Disable or override autoHealthCheck if you only want health checks to run after explicit user requests.
If multi-agent mode is used, project details could be routed to other agents or roles involved in the delegation workflow.
The skill explicitly supports orchestrator/sub-agent modes and many delegations. This is consistent with project management, but the artifacts do not define detailed identity, permission, or data-sharing boundaries for delegated agents.
"multiAgent": {
"orchestrationPattern": "hub-and-spoke",
"delegationFramework": "RACI",
"modes": ["standalone", "orchestrator", "sub-agent"],
"maxDelegations": 50
}Use multi-agent delegation only with trusted agents, and confirm what project information may be shared before delegating tasks.
Users may have less registry-level assurance about where the runnable package came from or how it should be installed.
Registry-level provenance and install metadata are incomplete, while the package includes code and documentation for npm/git-based installation. The package contents appear purpose-aligned, but the metadata mismatch is worth user attention.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Install from the intended trusted repository or registry package, and review package.json/package-lock.json before running npm install or build commands.