Piv
PassAudited by ClawScan on May 10, 2026.
Overview
Piv is a coherent software-development workflow skill, but it can modify a chosen project, run validation commands, and coordinate sub-agents, so users should run it only on trusted repositories and review generated plans.
Install/use this skill if you want an agent to plan, implement, and validate software changes in a project. Before running it, make sure the repository is trusted, commit or back up current work, inspect PRDs/PRPs and local instruction files such as CLAUDE.md or AGENTS.md, and avoid including secrets in project files that sub-agents may read.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may change source code and run tests, builds, or other validation commands in the project you point it at.
The executor is explicitly allowed to edit project files and execute commands, which is expected for this development workflow but can have high impact in the selected repository.
Use the available tools (read, write, edit, exec) to implement changes and run commands
Use it in a trusted repository, keep version control clean before running, and review PRPs and validation commands before allowing broad implementation work.
A repository's local instruction files or PRPs could steer the agent's coding choices and command selection.
The skill tells agents to follow repository-level instruction files. That is common for coding agents, but those files can influence behavior if the repository is untrusted or contains unsafe instructions.
Global rules: Follow any project-level configuration files (CLAUDE.md, AGENTS.md, .cursorrules, etc.)
Inspect project instruction files and PRPs first, especially when working with third-party or newly cloned repositories.
Project details and generated plans may be shared between the orchestrator and spawned sub-agents during the workflow.
The workflow intentionally passes project paths, PRD/PRP content, and execution summaries among sub-agent sessions; this is disclosed and central to the skill, but users should understand that project context is shared across agent sessions.
Use the `sessions_spawn` tool to create fresh sub-agent sessions. Each spawn is non-blocking — you'll receive results via an announce step.
Avoid running the workflow on projects containing secrets or private data unless you are comfortable with that context being used by the involved agent sessions.
Generated planning documents can shape future code changes if reused across phases.
The workflow creates and later relies on persistent planning and PRP files inside the project. This is appropriate for a phased development process, but stale or tampered planning files could affect later implementation.
Save to: {PROJECT_PATH}/PRPs/planning/{PRD_NAME}-phase-{N}-analysis.mdReview generated PRDs, PRPs, and planning files before continuing to later implementation phases.