Security
What This Repository Ships
Section titled “What This Repository Ships”pm-skills distributes:
- Skills (
skills/) - markdown instruction files (SKILL.mdplusreferences/TEMPLATE.mdandreferences/EXAMPLE.md). These are prompts, not executables; an agent reads them and follows them when you invoke a skill. - Sub-agent definitions (
agents/) - markdown system-prompt files for the 6 sub-agents (pm-critic, pm-skill-auditor, pm-changelog-curator, pm-release-conductor, pm-workflow-orchestrator, pm-skill-router). - Slash commands (
commands/) and workflows (_workflows/) - markdown that points an agent at a skill or an ordered sequence of skills. - Hooks (
hooks/) - two Claude Code hooks plus a small shared lib, all dependency-free Node. See below; these are the one part of the plugin that can act without an explicit per-invocation request. - Repo tooling (
scripts/) - Node validators and generators that run in this repository’s own CI. They do not ship as part of the code that executes automatically inside an install; see Supply Chain below for what actually reaches a user. - Docs (
docs/,site/) - reference material and the published documentation site.
Nothing Executes at Install Time
Section titled “Nothing Executes at Install Time”Installing pm-skills, by any path (the Claude Code plugin marketplace, npx skills add, git clone, or a release ZIP), does not run any code. Skills, sub-agent definitions, commands, and workflows are inert markdown: an agent only acts on them when you invoke a skill or command, and at that point it is the agent’s own tool calls (Read, Write, Edit, and so on, each subject to your client’s own permission model), not a script pm-skills shipped.
The one exception, and it is opt-in, is hooks.
Hooks Are Opt-In, Disclosed, and Fail Open
Section titled “Hooks Are Opt-In, Disclosed, and Fail Open”pm-skills ships two Claude Code hooks (registered in hooks/hooks.json against the PreToolUse and SessionStart events). Both are inert until you opt in, via a gitignored, per-project file, .claude/pm-skills.local.md:
- House-rule guardrails (
hooks/guardrails.mjs,PreToolUse). Off by default; aguardrails: truekey in the local config file turns it on. When enabled, it can deny aWrite/Edit/MultiEdit/NotebookEdit/ExitPlanModecall that introduces an em-dash or en-dash, and can warn (never deny) on an unfilled placeholder or an unsourced numeric metric. - Phase router (
hooks/phase-router.mjs,SessionStart). On by default, but silent by design: it only ever adds a short contextual note (which product-development phase the repo signals suggest, and which skills apply) and never blocks or modifies anything. Setphase_router: offin the same local config file to disable it entirely.
Both hooks fail open: a parse error, a missing config file, or any unexpected input allows the tool call through rather than blocking it. Neither hook makes a network call or imports a third-party dependency; both run as node ${CLAUDE_PLUGIN_ROOT}/hooks/*.mjs with no node_modules present, a design rule enforced in hooks/README.md. Full configuration schema: Hooks and Output-Quality Checks.
Supply Chain
Section titled “Supply Chain”- Plugin marketplace. The recommended install path (
/plugin marketplace add product-on-purpose/agent-plugins) resolves through theagent-pluginsmarketplace, which pins its pm-skills entry to an exact commit SHA rather than a mutable branch, re-pinned at every release. An install therefore always resolves to a specific, auditable commit, not whatevermainhappens to contain at fetch time. - Release ZIPs. Every tagged release publishes
pm-skills-vX.Y.Z.zipalongside apm-skills-vX.Y.Z.zip.sha256checksum file and a plain-textmanifest.txtrecording the same hash (built byscripts/build-release.sh, published by.github/workflows/release-zips.yml). Verify a downloaded ZIP against its checksum before trusting its contents:Terminal window sha256sum -c pm-skills-vX.Y.Z.zip.sha256 - What a release ZIP excludes.
docs/internal/(maintainer working notes) is deliberately excluded from every packaged release; onlyskills/,commands/,_workflows/,agents/,hooks/,library/,scripts/, the plugin manifests, and the public docs ship. - Release automation. The release-please automation (
.github/workflows/release-please.yml) is configured to run with a fine-grained, repository-scoped token rather than the broad default Actions token, falling back to the default token only while that scoped token is being provisioned.
See Provenance and Trust for the same posture restated for readers who never open this repository.
Supported Versions
Section titled “Supported Versions”| Version | Supported |
|---|---|
| 2.x | ✅ |
| < 2.0 | ❌ |
Reporting a Vulnerability
Section titled “Reporting a Vulnerability”If you discover a security issue in pm-skills, report it privately first.
Preferred channel:
- Use GitHub Private Vulnerability Reporting:
Fallback channel:
- Open a GitHub issue requesting a private follow-up (do not include exploit details or secrets):
What to include:
- Affected file(s) or workflow(s)
- Reproduction steps
- Impact assessment
- Suggested remediation (if available)
Response targets:
- Initial acknowledgement within 2 business days
- Ongoing status updates until resolution
This policy covers:
- Repository content (
skills/,commands/,_workflows/, docs, templates) - Hooks (
hooks/) and their opt-in configuration - Build/release tooling and GitHub Actions workflows
- Published release artifacts
Out of Scope
Section titled “Out of Scope”The following are generally out of scope for this repository:
- Vulnerabilities in third-party tools or clients not maintained here
- Security behavior of external AI platforms integrating these skills