Coding PM
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about managing coding work, but it gives a background Claude Code agent broad local execution and filesystem authority, so it should be reviewed carefully before use.
Install only if you are comfortable letting a background Claude Code agent work on your repository with broad local permissions. Start on non-production code, review every plan and diff, use a sandbox or dedicated OS account where possible, and keep task requests free of secrets.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A background agent could read or modify more local files than a normal workspace-restricted skill and can make code, test, and commit changes with few runtime permission checks.
The skill explicitly asks the user to loosen OpenClaw filesystem confinement and runs Claude Code with permission prompts disabled for code mutation. This is purpose-aligned, but it is broad, high-impact authority with containment largely relying on prompts and process discipline.
openclaw config set tools.fs.workspaceOnly false ... Execution (Phase 3) | Full access via `--dangerously-skip-permissions` | Write code, run tests, commit changes
Use only on trusted, non-production repositories at first; prefer a sandbox/container or dedicated OS account; review plans and diffs before approving execution or merge; re-enable workspace restrictions when not using the skill.
A malformed or hostile task request could potentially change the command that is run, especially because the surrounding workflow uses high-privilege background execution.
The instructions show arbitrary request text being embedded into a bash command string. The artifacts do not specify using a prompt file, heredoc, or escaping strategy, so quotes or shell metacharacters in user text could be mishandled by the shell.
command: claude -p "Context: <project type, language, framework, key directories, relevant files>\nRequest: <user's original request> ..."
Construct Claude prompts via temporary files, safely quoted heredocs, or command arguments that do not pass user text through shell interpolation; validate generated task names and paths.
Claude Code usage, repository access, and any resulting costs or account-side effects are tied to the user's configured Claude Code credentials.
The skill depends on the user's authenticated Claude Code session. This is expected for a Claude Code orchestration skill, but it means actions and provider usage occur under the user's account.
Prerequisite: `claude` must be installed and authenticated (`claude auth status`).
Use a dedicated Claude Code account or profile if possible, and confirm the account is appropriate for the repositories being processed.
Source code, filenames, project structure, and task details may be exposed to Claude Code during planning and implementation.
The PM skill delegates work to Claude Code with file-reading and web tools, so project context and task details can be processed by the external Claude Code agent/provider. This is central to the skill but important for privacy expectations.
--allowedTools "Read,Glob,Grep,LS,WebSearch,WebFetch,..."
Do not use this skill on repositories or tasks that cannot be shared with the configured Claude Code provider; check your organization's AI/code-sharing policy first.
Work may continue in the background, including tests and code changes, while the user is not actively watching the chat.
The skill intentionally creates background coding-agent sessions that continue after the chat is free. This is disclosed and purpose-aligned, but users should treat it as long-running autonomous activity.
NEVER block the session waiting for the coding-agent. Always run in background.
Use `/task list`, `/task status`, and `/task cancel` to monitor and stop background tasks; avoid starting tasks on sensitive or production branches.
Task names, branch names, worktree paths, and session IDs may persist in conversation context across messages.
The skill stores operational task state in memory for later coordination. This is useful and scoped, but persistent task metadata can influence later task handling.
Store task context (sessionId, base branch, worktree path, phase) in your conversation memory.
Avoid putting secrets in task names or requests, and clear or reset task context if it becomes stale or incorrect.