claude-code-pm

No direct malware or obfuscated payload is present in this document itself. However the workflow contains high-risk operational patterns: it instructs installing unpinned third-party skills and running the Claude agent with --dangerously-skip-permissions and fully-autonomous apply/verify steps that bypass manual approvals. That combination creates a significant supply-chain and automation risk: a malicious or compromised skill or agent could fetch code, execute arbitrary commands, exfiltrate secrets, or modify the repository. Recommend treating this as unsafe to run as-is in sensitive environments: require pinning and validating packages, remove or disallow --dangerously-skip-permissions, run actions in isolated sandboxes, and require human-in-the-loop approvals.

This PM skill instructs users to run local scripts and install third-party agent 'skills' using npx and to delegate work to agents with options that bypass interactive permission checks. The functionality (orchestration, background delegation, monitoring) can be legitimate for a product-manager-style orchestrator, but its installation and execution model is high risk: it relies on executing unpinned remote code, transitive installs of arbitrary skills, and an explicit --dangerously-skip-permissions flag that removes human oversight. These elements together create a substantial supply-chain and credential-exfiltration risk. There is no direct evidence in the provided text of active malware (no embedded exfiltration endpoints or hardcoded secrets), but the patterns are consistent with common credential-harvesting and supply-chain attack vectors. Recommend treating this skill as suspicious: require pinned, signed releases for all skills, review all referenced scripts before running, avoid --dangerously-skip-permissions, and restrict npx installs to verified sources.