Clawpm
PassAudited by ClawScan on May 1, 2026.
Overview
Clawpm appears to be a coherent task-management CLI skill, with expected local project/log persistence and an external GitHub-based install that users should review before installing.
Install only if you trust the GitHub source, since the package code is fetched externally. Use it in intended project directories, review state-changing commands before running them, and avoid putting secrets into task bodies, research notes, or work logs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill depends on trusting the current contents of the GitHub repository.
The skill installs executable code from a remote GitHub git source. This is expected for a CLI skill, but the artifacts do not show a pinned commit or bundled code for review.
uv | package: git+https://github.com/malphas-gh/clawpm | creates binaries: clawpm
Review the repository and prefer a pinned release or commit before installing in sensitive environments.
The agent could update task status or logs if asked to use the skill, which may make project records inaccurate if used carelessly.
The documented CLI includes state-changing task operations, including a force option. This is aligned with task management, but users should notice that agent-invoked commands can alter local task records.
clawpm done 25 --force # Override and complete anyway
Review important state-changing commands before running them, especially force or bulk project-management actions.
Project logs, blockers, git status, and issue summaries may influence future agent work and could reveal private project information to the agent context.
The skill can collect and return persistent project context for future work. This is central to its purpose, but that context may contain sensitive project details or stale/incorrect instructions.
Returns JSON with: project info + spec, in-progress/next task, blockers, recent work log, git status, open issues.
Avoid storing secrets in tasks, research notes, or work logs, and periodically review persistent project context for accuracy.