Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TPM Copilot
v1.0.0AI-powered operating system for Technical Program Managers and Project Managers. Pulls data from Jira, Linear, GitHub, and calendars to auto-generate status...
⭐ 0· 489·0 current·0 all-time
byTyler Hill@reighlan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description align with the included scripts: they query Jira, Linear, GitHub (via gh or token), parse meeting notes, build reports, track risks/dependencies and optionally post to Slack or email. Required tools and data sources mentioned in SKILL.md are appropriate for a TPM/PM automation tool.
Instruction Scope
Runtime instructions and scripts read and write the user's TPM workspace (default: $HOME/.openclaw/workspace/tpm), process meeting notes, and call external APIs (Jira, Linear, GitHub via gh, Slack webhook, possible email providers). That scope is expected given the purpose, but the skill will attempt network calls and create tickets/alerts when configured — confirm you want those actions. Also, SKILL.md and scripts reference environment variables and config paths that were not declared in the registry metadata (see environment_proportionality).
Install Mechanism
There is no install spec (instruction-only), and included scripts are executed in-place. The scripts prompt the user to install 'requests' and require the 'gh' CLI for GitHub operations; no remote downloads or obscure installers are used in the provided files.
Credentials
The skill expects multiple credentials and configuration: JIRA_BASE_URL/JIRA_EMAIL/JIRA_API_TOKEN, LINEAR_API_KEY, GITHUB_TOKEN or gh CLI auth, SLACK_WEBHOOK_URL, calendar/email API keys, and program-specific config.json files. Those credentials are proportionate to the described integrations, but the registry metadata lists no required env vars — the omission is a mismatch you should be aware of. Ensure you provide least-privilege API tokens and avoid using highly-privileged or shared organization-wide tokens.
Persistence & Privilege
The skill writes to and reads from a workspace directory it creates (config.json, state.json, programs/*, meetings/*, risks/*, dependencies/*). It does not request always:true or modify other skills; workspace persistence and file writes are normal for this type of tool. Review files it creates and their locations before running.
Assessment
This package is internally consistent with its claimed purpose, but you should: (1) review and place API credentials deliberately — use least-privilege tokens (e.g., project-scoped Jira tokens, machine/service accounts where possible), (2) inspect the generated workspace ($HOME/.openclaw/workspace/tpm by default) and config.json before running, (3) be aware scripts can create Jira issues and post to Slack/email — test with a sandbox project/webhook first, (4) avoid supplying org-wide admin tokens: prefer individual or service-account tokens with limited scopes, (5) verify gh CLI is authenticated to the correct GitHub account and test gh commands manually, and (6) if you need the registry to reflect required env vars, ask the publisher to update metadata so automated permission checks can be accurate.Like a lobster shell, security has layers — review code before you run it.
agilevk97eezp8me2fq85dg8j6a4r4mh81sdptgithubvk97eezp8me2fq85dg8j6a4r4mh81sdptjiravk97eezp8me2fq85dg8j6a4r4mh81sdptlatestvk97eezp8me2fq85dg8j6a4r4mh81sdptlinearvk97eezp8me2fq85dg8j6a4r4mh81sdptproject-managementvk97eezp8me2fq85dg8j6a4r4mh81sdptriskvk97eezp8me2fq85dg8j6a4r4mh81sdptstatus-reportvk97eezp8me2fq85dg8j6a4r4mh81sdpttpmvk97eezp8me2fq85dg8j6a4r4mh81sdpt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.