ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Projitive

v2.1.3

Projitive is an MCP-first governance skill for agent-driven delivery. Use this before changing task states or writing governance artifacts. Core flow: taskNe...

0· 71·0 current·0 all-time
byAlain@yinxulai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (governance/MCP-first) align with the SKILL.md: it focuses on discovery, context, task lifecycle, and writing governance artifacts. However, the SKILL.md requires using @projitive/mcp (npm) even though the skill metadata declared no required binaries or install spec — a mismatch between declared requirements and runtime instructions.
!
Instruction Scope
The instructions tell the agent to locate or create a .projitive repo root, call projectInit immediately ("Do NOT ask the user"), and read/write governance files (README.md, roadmap.md, tasks.md, designs/, reports/, templates/). Those file reads/writes are coherent for a governance skill, but the explicit directive to initialize and modify repository files autonomously (without user confirmation) expands the agent's scope and risk surface.
!
Install Mechanism
SKILL.md directs: `npm install -g @projitive/mcp@latest`. The package comes from the public npm ecosystem (not bundled or declared in the skill metadata). Requiring a global, always-latest install is a supply-chain and stability risk; the skill package did not include an install spec or declare this dependency in metadata, which is an inconsistency.
Credentials
The skill requests no environment variables, credentials, or config paths. All actions are limited to repository files and the external npm package; there is no direct request for secrets or unrelated credentials.
Persistence & Privilege
always:false (normal) and autonomous invocation is allowed (platform default). The skill instructs writing and modifying repository governance files and running projectInit; while these are scoped to the project, automatic, unprompted writes are functionally privileged and should be confirmed by the user or sandboxed.
What to consider before installing
Before installing or enabling this skill: (1) Understand it tells the agent to run `npm install -g @projitive/mcp@latest` and to initialize/modify a .projitive governance tree in your repo without asking. That means network/package install + automatic file writes. (2) Verify the npm package and its GitHub repo (https://github.com/yinxulai/projitive) and review its code and maintainers; prefer pinning to a specific vetted version instead of `latest`. (3) If you allow it, run the package in an isolated environment (container or sandbox) first, or restrict the agent so it must request explicit permission before creating/modifying files. (4) If you do not trust the external package or automatic repo writes, do not enable autonomous invocation and require manual approval for any projectInit or file changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk9721n1k6z6v7wkr0nxeaqw06x83md1j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments