v0.4.2

Coding PM

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:09 AM.

Analysis

This skill is coherent for coding automation, but it delegates work to a background Claude Code agent with permission prompts disabled and broad filesystem/code-change authority.

GuidanceReview before installing. This skill is best used on trusted development repositories where you are comfortable letting an authenticated Claude Code session run in the background, modify a worktree, run commands, and prepare commits. Start on non-production code, keep secrets out of the repository, monitor active tasks, and review all plans and diffs before approving execution or merge.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

README.md

| Execution (Phase 3) | Full access via `--dangerously-skip-permissions` | Write code, run tests, commit changes |

The skill explicitly gives the background coding agent full execution authority with Claude Code permission prompts disabled. This is disclosed and purpose-aligned, but broad enough to require careful review before use.

User impactA background agent can modify project files, run commands, and commit changes; a bad plan, bad prompt, or unexpected repository content could lead to unwanted code changes before the user inspects them.

RecommendationUse only on trusted, non-production repositories at first; review the plan, diffs, commits, and test output before approving merge or cleanup.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

- NEVER block the session waiting for the coding-agent. Always run in background.

The skill intentionally launches autonomous background coding sessions. This is central to its purpose, but users should notice that work may continue asynchronously after the initial request.

User impactCoding tasks can keep running in the background and may consume resources or continue changing a worktree while the user is doing other things.

RecommendationTrack active tasks with the provided task commands, limit concurrency, and cancel or pause tasks you no longer want running.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

SUPERVISOR_PROMPT=$(find ~/.openclaw -path "*/coding-pm/references/supervisor-prompt.md" -print -quit 2>/dev/null)

The skill dynamically uses the first matching local supervisor prompt file under `~/.openclaw`. That supports custom install paths, but the selected prompt influences the background coding agent's behavior.

User impactIf multiple or stale copies of the skill exist locally, the wrong supervisor prompt could be appended to the coding agent.

RecommendationKeep only trusted copies of the skill installed and verify the supervisor prompt path if behavior seems unexpected.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Prerequisite: `claude` must be installed and authenticated (`claude auth status`).

The skill relies on the user's authenticated Claude Code CLI session. No credential theft or leakage is shown, but actions run under the user's Claude account.

User impactClaude Code usage may consume the user's account quota and process repository context under that authenticated account.

RecommendationConfirm the Claude account, organization, and data-use policy are appropriate for the repositories where this skill will be used.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

command: claude -p "Context: <project type, language, framework, key directories, relevant files>\nRequest: <user's original request>" ... --allowedTools "Read,Glob,Grep,LS,WebSearch,WebFetch,..."

The PM agent sends project context and the user's request to a separate Claude Code agent, which is also allowed to read/search project files and use web tools. This is expected for the integration, but it is a sensitive agent-to-provider data flow.

User impactRepository details and task requests may be processed by Claude Code and, where web tools are used, may be combined with external research.

RecommendationUse this only for codebases that are approved for Claude Code processing, and avoid including secrets or production credentials in prompts or repositories.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

- Store task context (sessionId, base branch, worktree path, phase) in your conversation memory.

The skill stores operational task state in conversation memory. This appears scoped to task management, but it creates persistent context that may be reused later in the chat.

User impactTask names, branch names, worktree paths, and session identifiers may remain in the agent's conversation context.

RecommendationAvoid putting secrets in task names or requests, and clear or reset the conversation context when task state should no longer be retained.