Product Manager Skills
Security checks across malware telemetry and agentic risk
Overview
This appears to be a markdown-only product-management advice skill with no evidenced hidden execution, credential use, or data exfiltration; users should verify the install source and understand that business context may be reused within a session.
This looks reasonable to install if you want a product-management coaching and artifact-writing skill. Before installing, verify that the package or repository is the one you intend to use, run any update helpers only manually, and be careful pasting confidential product metrics or company details because the skill may reuse them later in the same session.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user has less registry-level provenance information to confirm they are installing the intended package, but the provided artifacts do not show hidden installation behavior.
The registry metadata does not provide a clear source or homepage for provenance verification, although the skill is declared instruction-only and no install-time code is specified.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Verify the package or repository through a trusted channel before installing or updating.
If a user chooses to run update commands or helper scripts, those commands execute locally, but the skill does not ask the agent to run them silently.
The skill documents update commands and optional helper-script use, but explicitly frames them as manual and user-directed rather than automatic execution.
Do not execute local helper scripts automatically... `clawhub update product-manager-skills` ... `npx skills update Digidai/product-manager-skills` ... Do not instruct the agent to run it silently at session start.
Run update commands only when you intend to, and do not run optional helper scripts unless you trust and have reviewed their source.
Confidential product metrics or company context shared earlier in a session may be repeated or influence later outputs in that session.
The skill may reuse business context and metrics during the same session, which is useful for PM work but can carry sensitive or stale assumptions forward.
The skill remembers your product stage, team structure, metrics baseline, and framework preferences within a session. Labels recalled context as `[from earlier: user is Series A, 15-person team, $80k MRR]`.
Avoid sharing confidential details unless needed, correct stale assumptions promptly, and start a fresh session when switching products or sensitive contexts.