SPM - Super Project Manager
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: spm Version: 3.0.0 The SPM (Super Project Manager) skill bundle is a highly structured framework designed to orchestrate software development projects using AI agents. It implements a rigorous 5-phase lifecycle (Requirement, Planning, Execution, Quality, Delivery) and enforces professional engineering standards such as Test-Driven Development (TDD), adversarial plan reviews, and multi-stage code quality gates. The included utility scripts in the `scripts/` directory, such as `attest-wbs.sh`, `verify-wbs.sh`, and `verify_checklists.py`, provide legitimate functionality for project initialization, integrity verification of task ledgers, and automated quality/security scanning (e.g., checking for hardcoded secrets). The bundle demonstrates a strong focus on security and reliability, with no evidence of malicious intent, data exfiltration, or unauthorized persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may edit project files, run local commands, use browser automation, and coordinate other agents during development tasks.
The skill requests broad local editing, command execution, process, browser, session, and subagent capabilities. This is expected for a software project manager, but these tools can make high-impact changes if misused.
allowed-tools: ["read", "write", "edit", "exec", "process", "sessions_spawn", "sessions_yield", "subagents", "cron", "memory_search", "memory_get", "browser"]
Use it in trusted project directories, review phase approvals, and confirm before deployments, dependency changes, database changes, or destructive commands.
If the WBS ledger or project notes contain incorrect, stale, or malicious instructions, they could shape later agent behavior.
The skill intentionally reuses WBS ledger/task context across tool calls. This is central to its workflow, but persistent or project-controlled context can influence future agent actions.
**Hook Auto-Injection** | Active tasks auto-injected into context before every tool call
Keep `docs/spm/ledger.md` under review, avoid pasting untrusted instructions into task context, and treat hash attestation as integrity protection rather than proof that content is safe.
Multiple agent sessions may see parts of the project plan, code context, and task evidence.
The skill is designed to hand work to subagents and bind them to WBS tasks. This is purpose-aligned, but it means project context and task details may be shared across agent sessions.
**Subagent Dispatch** — Parallel and sequential task execution with automatic WBS binding
Use subagent mode only for projects where sharing relevant project context across agents is acceptable, and prefer step-by-step confirmation for sensitive work.
A future repository change could alter what gets installed if the user follows the clone command without pinning a version.
The install documentation uses an unpinned GitHub clone rather than a fixed commit or release artifact. It is manual and disclosed, but users depend on the repository contents at clone time.
git clone https://github.com/zhbcher/openclaw-spm.git ~/.openclaw/skills/spm
Install from a trusted release, tag, or reviewed commit when possible, and inspect scripts before enabling the skill.
The skill may maintain project progress state and coordinate ongoing work during an active project.
The documented configuration enables recurring heartbeat/checkpoint behavior and parallel subagents by default, while deployment is disabled by default. This is disclosed and related to session recovery, but it is persistent project-management behavior.
"heartbeat_interval": "10m", "auto_checkpoint": true, "parallel_subagents": true, "deployment_enabled": false
Disable auto-checkpointing or parallel subagents if you do not want ongoing project-state automation.
Running the command with the wrong path or shell expansion could delete local files.
The upgrade guide includes a destructive delete command, but it is a manual, scoped removal of this skill's own workspace directory before replacement.
rm -rf ~/.openclaw/workspace/spm tar xzf spm-skill-v2.tar.gz -C ~/.openclaw/workspace/
Verify the path before running upgrade commands and back up any local modifications under the skill directory.