project-manager-pro

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent local task manager, but its first-run flow can run a shell script that may install packages and one scheduled review script can rewrite task data without a clear consent step.

Review setup.sh before installing and run it manually only if you are comfortable with it creating ~/.openclaw/workspace/pm-pro and possibly installing jq through your system package manager. Avoid storing secrets or highly sensitive details in tasks, review cross-tool integrations before enabling them, and be aware that weekly-review.sh can move old completed tasks into archive files and rewrite the active task list.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The setup prompt explicitly instructs the agent to run setup.sh before any user interaction, which authorizes shell execution without a clear necessity, disclosure, or consent boundary. In a setup flow for a project-management skill, this creates avoidable risk because a shell script could modify files, exfiltrate data, or perform other side effects before the user understands what will happen.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The script is presented as a weekly review/report generator, but it also performs state-changing archival and deletion from the active task file later in execution. This mismatch is dangerous because users or calling agents may invoke it expecting read-only reporting, while it silently rewrites task data and can remove items from the primary dataset.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: A script whose primary apparent purpose is generating a summary also appends to archive files and rewrites the active tasks file, creating destructive side effects. In an agent setting, this is especially risky because periodic or automated execution can mutate user data without meaningful consent, and failures during archive/merge logic can cause duplication, loss of visibility, or corruption of task records.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The README tells users to 'just talk to your agent' and provides broad examples, but it does not define clear activation boundaries, confirmation requirements, or limits on when the skill should act. In an agentic environment, ambiguous invocation guidance can cause unintended task creation, modification, or other side effects from ordinary conversation or cross-tool context.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The README states that tasks and projects are stored persistently under ~/.openclaw/workspace/pm-pro/ but does not clearly warn users before setup/use that personal data will be written to disk. This can lead to unintentional retention of sensitive information such as contracts, appointments, deadlines, or project details on shared or insecure systems.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The setup flow directs the agent to write settings.json and create a data directory via setup.sh without an explicit user-facing confirmation step or transparency about filesystem changes. Even if the intended behavior is benign configuration, silent persistence and command execution during onboarding reduce user control and can mask unsafe file writes or broader script behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill persistently stores task and project data under the user's home directory, but it does not present a clear user-facing warning at the point of use that conversations will be written to local files. This creates a privacy and consent issue because users may disclose sensitive personal, health, finance, or work information while believing the interaction is ephemeral.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cross-tool integration section instructs the agent to automatically create tasks from other tools and copy contextual data into notes, but it does not warn users that data from those tools will be duplicated into this skill's local storage. This increases privacy risk and data sprawl, especially if upstream tools handle sensitive billing, health, meal, or productivity information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script gives no prior warning or confirmation before modifying persistent task data; it only prints a message after changes are already made. This undermines user awareness and agent safety controls, making unintended archival difficult to prevent during automated runs and increasing the chance of surprise data movement from the active task list.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal