Coding PM
Security checks across malware telemetry and agentic risk
Overview
Coding PM is a disclosed coding automation skill, but it asks to run Claude Code in the background with permissions disabled and a broadened filesystem boundary, so it needs careful review before use.
Install only if you are comfortable with a background Claude Code agent modifying a git worktree with permission prompts disabled. Start on a non-production repository, use backups or a container, review plans and diffs carefully, and avoid repositories containing secrets or data that cannot be sent to Claude Code.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the background agent misinterprets the task, is influenced by project content, or receives a bad prompt, it could run commands or change files before the user notices.
The skill explicitly runs the coding agent with Claude Code permission prompts disabled and grants it broad ability to mutate the codebase in the background. This matches the skill's purpose, but it is high-impact and not technically contained by a sandbox.
Execution (Phase 3) | Full access via `--dangerously-skip-permissions` | Write code, run tests, commit changes
Use this only on trusted, backed-up, non-production checkouts or inside a container/VM. Review the plan, inspect diffs and commits before merging, and avoid running it in repositories containing secrets.
Other tool use in the OpenClaw environment may gain access to files outside the normal workspace boundary, increasing the blast radius of mistakes or prompt-driven tool misuse.
The documented setup disables OpenClaw's workspace-only filesystem boundary so the agent can work in `~/.worktrees`. The reason is disclosed, but the setting is broader than a single task-specific path.
openclaw config set tools.fs.workspaceOnly false
Only apply this setting if you understand the broader filesystem access it enables. Prefer a dedicated OpenClaw profile, container, or restricted user account for this skill.
A task may keep running, testing, committing, or waiting for events while the user is doing other things.
The skill is designed to spawn and supervise long-running background coding-agent sessions. This is disclosed and central to the product, but users should recognize that work continues outside the active chat turn.
NEVER block the session waiting for the coding-agent. Always run in background.
Monitor active tasks and use the documented pause, cancel, status, and progress commands. Do not start tasks you are not prepared to supervise.
Background coding-agent activity will run under the user's configured Claude Code account and may use that account's access and usage quota.
The skill relies on the user's authenticated Claude Code CLI session. That is expected for this integration, and the artifacts do not show credential logging, hardcoded secrets, or unrelated credential use.
Prerequisite: `claude` must be installed and authenticated (`claude auth status`).
Confirm which Claude Code account is authenticated before use, and avoid using the skill where account usage, project confidentiality, or organizational policy would be a problem.
Repository structure, selected file details, and task instructions may be shared with the coding agent/provider during planning and implementation.
The PM skill sends project context and the user's request to a background Claude Code agent. This data flow is expected for the skill, but users should understand that project details may be processed by the Claude Code provider.
command: claude -p "Context: <project type, language, framework, key directories, relevant files>\nRequest: <user's original request>
Use only with repositories and tasks that are permitted for third-party AI processing, and remove secrets or sensitive customer data from the working tree.
Task identifiers, branch names, and local paths may remain available to the assistant across the task conversation.
The skill keeps operational task state in conversation memory so it can resume and monitor background work. This is purpose-aligned, but it means session and path metadata persist in the agent context.
Store task context (sessionId, base branch, worktree path, phase) in your conversation memory.
Avoid putting secrets in task names, branch names, paths, or status messages, and clear or reset the conversation if task state should no longer be retained.