ClawHub
Back to skill
v2.1.3

Projitive

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:25 AM.

Analysis

Projitive is a coherent project-governance skill with no evidence of exfiltration or destructive behavior, but it relies on an unpinned MCP package and can update local governance files.

GuidanceInstall this only if you want Projitive MCP to manage project governance state. Before use, review or pin the referenced npm package, run it in the correct repository, inspect resulting .projitive/task/roadmap changes, and avoid placing secrets in persistent governance files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g @projitive/mcp@latest

The skill asks for a global install of the latest external MCP package, so the executable behavior can change over time and is not pinned to the reviewed artifact version.

User impactA future or compromised package release could change what the MCP server does when the skill uses it.
RecommendationInstall the MCP package only from a trusted source, consider pinning a reviewed version, and review package changes before updating.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
call `projectInit(projectPath="<project-dir>")` immediately. Do NOT ask the user to do this manually. ... Governance state writes MUST go through MCP tools

The skill directs the agent to use MCP tools to initialize and write project governance state without requiring the user to perform those steps manually.

User impactThe MCP workflow may create or change local governance files such as tasks, roadmaps, designs, and reports.
RecommendationUse it in the intended repository only, review file diffs, and require explicit confirmation if automatic task or roadmap changes are not desired.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
`taskContext` — get evidence and hints ... Design rationale → `.projitive/designs/`; Execution outcome → `.projitive/reports/`

The skill stores and later reuses project governance context, evidence, and hints, which can guide future agent behavior.

User impactIncorrect or untrusted content in the governance files could influence future task choices or status updates.
RecommendationKeep .projitive content reviewed, avoid storing secrets there, and treat governance files as persistent instructions/context for the agent.