Init Manager
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a project-management integration, but it tells the agent to periodically fetch and obey remote AI guides while using an API key that can change tasks, so users should review the authority it grants.
Before installing, confirm that you trust the Init Manager workspace and everyone who can edit its AI guides. Treat the API key as sensitive, limit its permissions if possible, and ensure any webhook/cron automation only handles intended tasks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who can edit those AI guides could influence the agent's behavior beyond normal task details, including how it performs work or uses tools.
The skill makes mutable remote content from Init Manager authoritative for the agent, without clearly bounding it to the active task or saying it must not override higher-priority instructions.
There are three levels of AI instructions. **Always follow them.** ... **On first boot and periodically:** fetch all three and follow the combined instructions.
Only use this with trusted Init Manager workspaces, and amend the guidance so fetched AI guides are treated as task context, not as instructions that override system, developer, or user directions.
The agent may change task status, create records, add comments, assign users, or change labels in Init Manager.
The documented API operations let the agent modify project-management records, which is expected for this skill but still affects shared workflow state.
Update task | PATCH | `/api/tasks/<id>` ... Create task | POST | `/api/tasks` ... Add comment | POST | `/api/tasks/<id>/comments` ... Assign user | POST | `/api/tasks/<id>/assign`
Use a least-privilege API key where possible and monitor task changes, especially if the skill is triggered automatically.
Anyone or any agent process with access to that token may be able to act in Init Manager with the token's permissions.
The skill relies on an Init Manager bearer token for account access; this is purpose-aligned, but it is sensitive authority and is not reflected in the registry requirements.
Your workspace needs these in `TOOLS.md` or environment: ... **API Key** (Bearer token, starts with `initm_`)
Store the API key securely, avoid exposing it unnecessarily in shared files, rotate it if leaked, and prefer a token scoped only to the needed projects/actions.