Project Context Sync
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill behaves consistently with its stated purpose, but users should notice that it installs a persistent git hook, can read a local Clawdbot gateway token, and writes AI-generated project context for future agent use.
This skill appears purpose-aligned and not malicious based on the provided artifacts. Before installing, be comfortable with a repo-level post-commit hook, decide whether AI summaries should remain enabled, and review PROJECT_STATE.md if future agents will use it as project context.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After installation, commits in that repository will trigger automatic updates to PROJECT_STATE.md until the hook is removed.
The installed git hook runs the updater automatically in the background after each commit. This is persistent automation, but it is disclosed and central to the skill's purpose.
"$SKILL_DIR/scripts/update-context.sh" "$REPO_ROOT" &
Install only in repositories where this automatic post-commit behavior is desired, and use the provided uninstall script if you no longer want it.
If AI summaries are enabled and a token is present, the script can use the user's local Clawdbot gateway authorization without asking again on each commit.
AI mode reads the local Clawdbot gateway token from the user's config file so it can authenticate to the local gateway. This is disclosed in SKILL.md and is purpose-aligned, but it is credential use.
CLAWDBOT_CONFIG="$HOME/.clawdbot/clawdbot.json" ... CONFIG_TOKEN=$(jq -r '.gateway.auth.token // empty' "$CLAWDBOT_CONFIG" 2>/dev/null)
Keep the Clawdbot config file protected, enable the gateway only when needed, and set ai_summary: false in .project-context.yml if you do not want the hook to use the gateway token.
Commit messages, branch name, author, changed filenames, and recent commit history may be processed by the local AI gateway to generate the project summary.
The updater sends a chat-completions request to a local Clawdbot gateway endpoint using a bearer token and a hardcoded agent ID. The endpoint is localhost and documented, but it is still an agent/gateway data flow.
curl -s -X POST "$GATEWAY_URL/v1/chat/completions" -H "Authorization: Bearer $GATEWAY_TOKEN" -H "x-clawdbot-agent-id: main"
Use AI mode only when you trust the local gateway configuration and the model/provider behind it; otherwise disable AI summaries.
Future agents may rely on PROJECT_STATE.md for current focus and suggested next steps, so inaccurate or adversarial content in commit history could shape later decisions.
The generated PROJECT_STATE.md is intended to become persistent context for future agents. Because it is derived from commit history and optional LLM output, misleading commit messages or AI mistakes could influence later agent work.
Keep a living project state document updated after each commit, so any agent (or future session) can instantly understand where things stand.
Treat PROJECT_STATE.md as helpful context rather than authority, review it in shared or untrusted repositories, and disable AI summaries if you want only raw git facts.