v1.0.0

Project Router

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

The skill mostly matches its project-management purpose, but it deserves review because it can execute project-defined shell commands, apply file-write plans without path boundaries, and its MCP server calls a hard-coded external program.

GuidanceInstall only if you are comfortable with a project tool that can run local target commands and write project files. Before using it, verify the MCP server points to the reviewed CLI, inspect .project/targets.json and any plan JSON before running or applying, and use Trello sync only with the intended account and board.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

scripts/server.js

const PROJECT_BIN = '/home/safa/clawd/bin/project'; ... const r = spawnSync(PROJECT_BIN, args, { encoding: 'utf8' });

The MCP server executes an absolute-path binary outside the supplied file manifest, while the metadata declares no install spec or required binary. Tool calls may therefore run an unreviewed local executable if that path exists.

User impactUsing the MCP server could execute whatever program is present at that hard-coded path, not necessarily the reviewed script in this skill.

RecommendationUse a packaged, relative, or explicitly installed/pinned CLI path; declare the required binary in metadata and avoid hard-coded user-specific home paths.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/project.js

const planPath = path.join(projDir, 'history', 'plans', `${planId}.json`); ... const dst = path.join(root, w.path); ... fs.writeFileSync(dst, String(w.content));

The apply flow reads a plan selected by an unconstrained planId and writes plan-provided paths with no normalization check that the plan file stays under the plans directory or that writes stay under the project root.

User impactA crafted or poisoned plan could overwrite files outside the intended .project bundle or project directory.

RecommendationResolve and validate planId and each write path, reject absolute or ../ paths, enforce that destinations remain inside the project root or .project bundle, and show the full write list before applying.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

scripts/project.js

const commands = t.commands || []; ... const r = spawnSync(cmd, { cwd: root, shell: true, stdio: 'inherit', env: process.env });

Target execution is disclosed and purpose-aligned, but it runs command strings from .project/targets.json through a shell with the user's environment.

User impactRunning a target can perform any action encoded by the local project, including changing files, deploying services, or exposing environment-derived output.

RecommendationReview .project/targets.json before running targets, especially in downloaded repositories, and require explicit user approval for deploy, format, destructive, or long-running targets.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusNote

SKILL.md

`project pm trello sync [--project <slug>]` ... `ensures the single "Safa — PM" Trello board exists` ... `upserts cards` ... `moves cards to match status`

The documented Trello sync would mutate a third-party account/workspace, but the metadata declares no primary credential or required environment variables.

User impactIf used with Trello credentials, the skill may create or modify boards, lists, cards, and labels in the selected Trello account.

RecommendationConfirm which Trello account and board will be used, prefer least-privilege credentials, and run sync only after reviewing the intended card/list changes.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

`Canonical PM is local + queryable (SQLite): projects, tasks, context packs.` ... `Recommended DB location ... /home/safa/clawd/data/pm/pm.sqlite`

The skill intentionally creates persistent project/task/context storage that can be reused across sessions.

User impactProject paths, task references, artifact URLs, and context notes may persist locally and influence later project-switching behavior.

RecommendationKeep the PM database in an expected private location, avoid storing secrets in project briefs or task refs, and periodically review or prune persistent context.