Mini PIV - Lightweight Feature Builder
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent coding-workflow skill, but it can run project commands, spawn sub-agents, modify files, and create a local git commit after you invoke it.
Install only if you want an agent to actively implement features in your repository. Use it from a clean working tree, review project instruction files and generated PRPs, and check diffs before allowing the final git commit.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Unrelated local changes or files in the repository could be included in the generated commit if the working tree is not clean.
The workflow performs broad git staging and a local commit as its final step. This is disclosed and aligned with a feature-builder skill, but `git add -A` can include unrelated tracked or untracked changes.
cd PROJECT_PATH && git status && git diff --stat git add -A git commit -m
Run this only in the intended repository, start from a clean working tree, and review `git status`/diffs before the commit step.
Project test, build, lint, or service-start commands may run code from the repository on your machine.
The executor role is instructed to edit files and run validation/build/test commands. That is central to the skill’s purpose, but repository scripts can execute arbitrary local code.
Use the available tools (read, write, edit, exec) to implement changes and run commands
Use this in repositories you trust, or review the project’s scripts and validation commands before allowing execution.
Project context and implementation details may be shared across spawned agent sessions during the workflow.
The orchestrator passes project paths, PRP paths, summaries, gaps, and errors between multiple spawned agents. The roles are defined and bounded, but it is still an inter-agent data flow.
Use the `sessions_spawn` tool to create fresh sub-agent sessions
Use the skill only when you are comfortable with sub-agents receiving project context needed for implementation and validation.
A malicious or unexpected project instruction file could steer how the agent plans, edits, or runs commands.
The generated PRP template tells agents to follow repository-level instruction files. This is normal in coding agents, but those files can influence agent behavior if the repository is untrusted.
Global rules: Follow any project-level configuration files (CLAUDE.md, AGENTS.md, .cursorrules, etc.)
Review project-level agent instruction files before using this skill on unfamiliar repositories.
Generated planning files may retain project details and may be reused by future agent runs.
The skill persists codebase analysis and generated PRPs inside the project. This is expected for the workflow, but those files may contain implementation context and can later influence agents.
Save to: {PROJECT_PATH}/PRPs/planning/mini-{FEATURE_NAME}-analysis.mdReview generated PRP and analysis files before committing or sharing the repository.
Research commands may use your locally configured GitHub identity if you have the GitHub CLI authenticated.
The skill optionally suggests using the GitHub CLI for research. If `gh` is configured, it may operate under the user’s GitHub account, though the artifacts do not show token capture or unrelated account actions.
Shell/command runner — use `gh` CLI for GitHub code search, repo exploration
Be aware of which GitHub account `gh` is logged into, especially when working with private repositories.