AI-Driven Project Management: TensorPM
v1.1.12AI-powered project management - a Notion and Jira alternative with local-first architecture. Manage projects, track action items, and coordinate teams via MCP tools or A2A agent communication. Signed & notarized. https://tensorpm.com
⭐ 4· 4.1k·5 current·5 all-time
by@neo552
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description (local-first project management, A2A/MCP integration) match the SKILL.md content. The instructions focus on talking to a local TensorPM app (MCP tools, A2A JSON-RPC) and configuring AI provider keys — functionality that fits the stated purpose.
Instruction Scope
Instructions direct the agent to interrogate and control a local A2A endpoint (localhost:37850), list projects, read contexts, and create/update tasks. This is expected for an integration, but the A2A endpoint is described as unauthenticated by default and 'localhost requests are trusted' — meaning the agent can read and modify all project data on the running app with no additional auth. The SKILL.md also instructs using a 'set_api_key' tool to save user API keys into the app (write-only), which is within scope but increases sensitivity because those keys will be stored and used by the desktop app.
Install Mechanism
This is an instruction-only skill (no install spec). SKILL.md provides user-facing download instructions that reference the project's website and GitHub releases — typical for a desktop app. The skill itself does not download or execute code on the agent host.
Credentials
The registry declares no required environment variables, and SKILL.md does not require credentials to operate. It does mention an optional A2A_HTTP_AUTH_TOKEN env var to enable token auth, and describes storing third-party AI API keys (OpenAI, Anthropic, Google, Mistral) via the app. Those behaviors are proportional to the app's function, but users should be aware that API keys are written into the app and that A2A is unauthenticated by default unless they set the optional token.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (default). Autonomous invocation combined with the unauthenticated localhost A2A endpoint gives the skill the ability to query and modify local project data when the agent runs — this is consistent with the integration but increases the potential blast radius if you grant the agent broad autonomy.
Assessment
This skill is coherent for integrating with a locally running TensorPM desktop app, but before installing: 1) Only enable it if you run or trust the local TensorPM app it talks to (the skill assumes the app is running); 2) Consider enabling A2A_HTTP_AUTH_TOKEN in TensorPM so the A2A endpoint requires a token — by default the endpoint trusts all localhost requests; 3) Be cautious about storing third-party API keys in the app (understand how the app protects them and whether they are encrypted); 4) If you allow the agent autonomous invocation, be aware it can read and modify project data via the local API; 5) Verify downloads and signatures from the referenced GitHub releases/tensorpm.com yourself before installing the desktop app. If you want higher assurance, ask the skill author for a homepage/source repo, release checksums, or more details on how keys are stored.Like a lobster shell, security has layers — review code before you run it.
a2avk97btmfwg2472d0xz1h2c5t8wd80fnapcontext-driven-project-managementvk97btmfwg2472d0xz1h2c5t8wd80fnaplatestvk976c84ss3v3pvpqny2gr7ftvx80kn6platest productivityvk977gwk7hkq119pz3ywz6rv9q180hvsnmcpvk97btmfwg2472d0xz1h2c5t8wd80fnappmvk970tdpzskbjd4dr60zvqgbzg980jrfdproductivityvk97e5zk23gj367jn9dvwfj4rbs80kc14project managementvk976c84ss3v3pvpqny2gr7ftvx80kn6pproject-managementvk97e5zk23gj367jn9dvwfj4rbs80kc14projectsvk976c84ss3v3pvpqny2gr7ftvx80kn6ptasksvk97btmfwg2472d0xz1h2c5t8wd80fnap
License
MIT-0
Free to use, modify, and redistribute. No attribution required.