SPM - Super Project Manager
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate project-management coding skill, but it has broad project automation powers that users should supervise.
Install this only if you want an agent to actively manage and modify software projects. Prefer a pinned release or reviewed commit, inspect the scripts before use, keep the WBS ledger clean of untrusted instructions, and require explicit confirmation for deployments, database changes, dependency changes, and destructive commands.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may edit project files, run local commands, use browser automation, and coordinate other agents during development tasks.
The skill requests broad local editing, command execution, process, browser, session, and subagent capabilities. This is expected for a software project manager, but these tools can make high-impact changes if misused.
allowed-tools: ["read", "write", "edit", "exec", "process", "sessions_spawn", "sessions_yield", "subagents", "cron", "memory_search", "memory_get", "browser"]
Use it in trusted project directories, review phase approvals, and confirm before deployments, dependency changes, database changes, or destructive commands.
If the WBS ledger or project notes contain incorrect, stale, or malicious instructions, they could shape later agent behavior.
The skill intentionally reuses WBS ledger/task context across tool calls. This is central to its workflow, but persistent or project-controlled context can influence future agent actions.
**Hook Auto-Injection** | Active tasks auto-injected into context before every tool call
Keep `docs/spm/ledger.md` under review, avoid pasting untrusted instructions into task context, and treat hash attestation as integrity protection rather than proof that content is safe.
Multiple agent sessions may see parts of the project plan, code context, and task evidence.
The skill is designed to hand work to subagents and bind them to WBS tasks. This is purpose-aligned, but it means project context and task details may be shared across agent sessions.
**Subagent Dispatch** — Parallel and sequential task execution with automatic WBS binding
Use subagent mode only for projects where sharing relevant project context across agents is acceptable, and prefer step-by-step confirmation for sensitive work.
A future repository change could alter what gets installed if the user follows the clone command without pinning a version.
The install documentation uses an unpinned GitHub clone rather than a fixed commit or release artifact. It is manual and disclosed, but users depend on the repository contents at clone time.
git clone https://github.com/zhbcher/openclaw-spm.git ~/.openclaw/skills/spm
Install from a trusted release, tag, or reviewed commit when possible, and inspect scripts before enabling the skill.
The skill may maintain project progress state and coordinate ongoing work during an active project.
The documented configuration enables recurring heartbeat/checkpoint behavior and parallel subagents by default, while deployment is disabled by default. This is disclosed and related to session recovery, but it is persistent project-management behavior.
"heartbeat_interval": "10m", "auto_checkpoint": true, "parallel_subagents": true, "deployment_enabled": false
Disable auto-checkpointing or parallel subagents if you do not want ongoing project-state automation.
Running the command with the wrong path or shell expansion could delete local files.
The upgrade guide includes a destructive delete command, but it is a manual, scoped removal of this skill's own workspace directory before replacement.
rm -rf ~/.openclaw/workspace/spm tar xzf spm-skill-v2.tar.gz -C ~/.openclaw/workspace/
Verify the path before running upgrade commands and back up any local modifications under the skill directory.