PIV - Plan Implement Validate
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can change code and run local commands as part of implementing a PRP.
The executor role is explicitly allowed to edit project files and execute commands. This is expected for a software implementation workflow, but it is high-impact if run in the wrong repository or against an unsafe PRP.
Use the available tools (read, write, edit, exec) to implement changes and run commands
Run it only in the intended project directory, review PRPs before execution, and monitor or approve command execution where your agent platform allows.
Project test/build commands may run code on your machine.
The skill directs agents to run validation commands from the PRP/project. Running tests, builds, and linters is normal for this purpose, but those commands can execute arbitrary project code if the repository or PRP is untrusted.
Execute the level validation system from the PRP: Level 1... Level 2... Level 3... Level 4... Each level must pass before proceeding
Use trusted repositories or sandbox the environment before letting the skill run validation commands.
A repository’s own instruction files or generated planning documents can influence what the agent does later.
The workflow encourages future agents to treat project-level instruction files and generated PRPs as context. This is common for coding workflows, but malicious or stale repo instructions could steer agent behavior if the project is untrusted.
Global rules: Follow any project-level configuration files (CLAUDE.md, AGENTS.md, .cursorrules, etc.)
Review CLAUDE.md, AGENTS.md, .cursorrules, PRPs, and planning files before execution, especially in third-party repositories.
Multiple agent sessions may work on the project during one workflow run.
The skill uses sub-agent sessions for research, execution, validation, and debugging. This is disclosed and central to the skill’s purpose, and the instructions say to wait for results rather than leave hidden agents running.
Use the `sessions_spawn` tool to create fresh sub-agent sessions. Each spawn is non-blocking — you'll receive results via an announce step. Wait for each agent's results before proceeding
Use this skill when you want multi-agent orchestration, and keep phase ranges/debug loops bounded for large or sensitive projects.