PM — AI Product Manager Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only PM skill is mostly purpose-aligned, but it asks the agent to keep sensitive named stakeholder records and proactively scan workplace systems without clear consent, scope, or retention limits.
Install only if you are comfortable using the agent as a PM-style advisor. Keep external tool access narrow, require approval before it scans workplace systems or sends outreach, and be careful about creating a persistent people registry containing names, concerns, sensitivities, or relationship assessments.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may store or reuse sensitive personal workplace information in ways people did not expect.
The skill directs the agent to maintain persistent, named records about coworkers or stakeholders, including sensitive interpersonal assessments and concerns.
Maintain one entry per person you actively work with... **Known sensitivities**... **Current top concern**... **Relationship health**
Only use this registry with explicit user approval, limit it to necessary professional facts, avoid sensitive personal judgments unless required, and define where it is stored, who can see it, and when it should be deleted.
Stale, inaccurate, or overly sensitive notes about people could influence later product decisions or communications.
The registry is intended to be continuously updated and reused across interactions, but the artifacts do not define retention, consent, correction, or access boundaries for this persistent memory.
After every meaningful conversation: update "Last substantive interaction" and "Current top concern"... After every sprint: review the full registry
Treat the registry as a private, user-controlled work artifact; require confirmation before saving sensitive relationship notes and periodically review or delete outdated entries.
If the agent has connected workplace tools, it could inspect private or unrelated project information while trying to perform PM change-sensing.
The skill encourages broad proactive scanning of code, chat, and document systems, but does not define which repos, channels, documents, permissions, or user approvals are required.
Scan GitHub PRs merged since yesterday, key chat channels, and doc edit history. Look for product-affecting changes that weren't communicated to you.
Before enabling tool access, restrict it to specific approved repositories, channels, and documents, and require user confirmation before summarizing or acting on sensitive findings.
The agent might appear to make or prepare decisions ahead of explicit requests, which can be risky in business contexts.
The skill frames PM work as self-initiated and potentially not visible to the team. There is no code or background worker, but the instruction could encourage autonomous behavior if paired with tools or scheduling.
This is your internal PM agenda... invisible to the team unless you choose to share outputs. These are things you start, not things you respond to.
Use the proactive agenda as a checklist, not permission for unsupervised action; require the agent to ask before contacting people, changing plans, or using external tools.