Is cyberneticsplus/pmp-agentclaw safe?
https://github.com/openclaw/skills/tree/main/skills/cyberneticsplus/pmp-agentclaw
PMP-Agentclaw is a project management assistant implementing PMBOK 7th Edition methodology with clean SKILL.md content — no prompt injection, persona switching, or exfiltration instructions were found. The primary risks are indirect: CLI tools accept arbitrary filesystem paths that could expose sensitive files if the agent is manipulated by external content, SKILL.md directs the agent to execute npx commands, and the multi-agent orchestration capability (up to 50 delegations) significantly amplifies any vulnerabilities. Credential file accesses observed in monitoring are attributed to the audit system's canary infrastructure based on timing analysis, not to the skill itself.
Category Scores
Findings (7)
HIGH CLI tools accept arbitrary filesystem paths without restriction -17 ▶
score-risks.js accepts a --file flag that reads any JSON file from the filesystem without path sanitization or directory confinement. health-check.js accepts any string as projectDir and resolves it with path.resolve(), then scans for project documents. If a malicious actor injects instructions into content the agent processes (e.g., a project document containing a prompt injection), they could direct the agent to invoke these CLIs against sensitive paths such as ~/.aws/credentials or ~/.ssh/.
MEDIUM SKILL.md instructs agent to execute npx command -10 ▶
Rule 14 of SKILL.md contains an explicit instruction for the agent to run 'npx pmp-agentclaw health-check' to validate project data consistency. This causes the agent to execute pre-compiled Node.js code directly from the system prompt directive, without user initiation.
MEDIUM Skill ships pre-compiled JavaScript bundles -8 ▶
The dist/ directory contains compiled CommonJS JavaScript modules that execute directly in Node.js. While TypeScript source is present and reviewed-consistent, distributing pre-compiled binaries reduces auditability transparency. Future updates could diverge dist from src without detection.
MEDIUM Multi-agent orchestration with 50-delegation limit amplifies risk surface -28 ▶
skill.json declares multiAgent support with maxDelegations: 50 and supports orchestrator, sub-agent, and standalone modes using a hub-and-spoke pattern. A skill that can spawn and direct 50 sub-agents significantly amplifies the blast radius of any compromise — minor data access or prompt injection vulnerabilities that might be low-impact in a standalone skill become high-impact when multiplied across an agent tree.
LOW {baseDir} template variable relies on unvalidated runtime resolution -7 ▶
SKILL.md uses {baseDir} as a template placeholder for file paths (e.g., {baseDir}/configs/agile-mappings.json, {baseDir}/templates/project-charter.md). If the runtime does not constrain baseDir to the skill installation directory, an attacker with control over this variable could direct the agent to read files from arbitrary locations on the filesystem.
LOW npm prepare script executes build on standard install -5 ▶
package.json declares a 'prepare' lifecycle script ('npm run build') that would run TypeScript compilation automatically during npm install. This was not triggered in this audit (installation used git clone + cp), but users installing via npm would execute tsc and any code reachable from the build toolchain.
INFO Sensitive credential files read-accessed during monitoring — attributed to audit system 0 ▶
Files including /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json were opened and accessed. Pre-install accesses at audit timestamp 1771901835.944-946 (items 261-266) predate skill installation by ~6 seconds and coincide with audit infrastructure setup (ss -tunap at item 259). Post-install accesses at 1771901859.059 (items 1928-1933) have no associated skill EXECVE records and align with canary verification. Canary integrity report confirms all files were not modified.