← Back to Skills Marketplace
TPM Copilot
by
Tyler Hill
· GitHub ↗
· v1.0.0
583
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install tpm-copilot
Description
AI-powered operating system for Technical Program Managers and Project Managers. Pulls data from Jira, Linear, GitHub, and calendars to auto-generate status...
Usage Guidance
This package is internally consistent with its claimed purpose, but you should: (1) review and place API credentials deliberately — use least-privilege tokens (e.g., project-scoped Jira tokens, machine/service accounts where possible), (2) inspect the generated workspace ($HOME/.openclaw/workspace/tpm by default) and config.json before running, (3) be aware scripts can create Jira issues and post to Slack/email — test with a sandbox project/webhook first, (4) avoid supplying org-wide admin tokens: prefer individual or service-account tokens with limited scopes, (5) verify gh CLI is authenticated to the correct GitHub account and test gh commands manually, and (6) if you need the registry to reflect required env vars, ask the publisher to update metadata so automated permission checks can be accurate.
Capability Analysis
Type: OpenClaw Skill
Name: tpm-copilot
Version: 1.0.0
The skill is classified as suspicious due to critical vulnerabilities that could lead to remote code execution (RCE) and arbitrary file system manipulation. Specifically, `scripts/add-program.sh` is vulnerable to path traversal and command injection via the `--name` argument, allowing an attacker to create files/directories outside the intended workspace or execute arbitrary commands. Furthermore, `scripts/risk-radar.sh` and `scripts/status-report.sh` execute `gh` CLI commands using `subprocess.run` where the `--repo` argument is sourced from `programs/<name>/config.json`. If an attacker can manipulate this configuration file (potentially by exploiting the `add-program.sh` vulnerability), they could inject shell commands into the `repo` field, leading to RCE. The skill also handles sensitive API keys (Jira, Linear, GitHub, Slack, Resend), making it a high-value target if these vulnerabilities are exploited.
Capability Assessment
Purpose & Capability
The name/description align with the included scripts: they query Jira, Linear, GitHub (via gh or token), parse meeting notes, build reports, track risks/dependencies and optionally post to Slack or email. Required tools and data sources mentioned in SKILL.md are appropriate for a TPM/PM automation tool.
Instruction Scope
Runtime instructions and scripts read and write the user's TPM workspace (default: $HOME/.openclaw/workspace/tpm), process meeting notes, and call external APIs (Jira, Linear, GitHub via gh, Slack webhook, possible email providers). That scope is expected given the purpose, but the skill will attempt network calls and create tickets/alerts when configured — confirm you want those actions. Also, SKILL.md and scripts reference environment variables and config paths that were not declared in the registry metadata (see environment_proportionality).
Install Mechanism
There is no install spec (instruction-only), and included scripts are executed in-place. The scripts prompt the user to install 'requests' and require the 'gh' CLI for GitHub operations; no remote downloads or obscure installers are used in the provided files.
Credentials
The skill expects multiple credentials and configuration: JIRA_BASE_URL/JIRA_EMAIL/JIRA_API_TOKEN, LINEAR_API_KEY, GITHUB_TOKEN or gh CLI auth, SLACK_WEBHOOK_URL, calendar/email API keys, and program-specific config.json files. Those credentials are proportionate to the described integrations, but the registry metadata lists no required env vars — the omission is a mismatch you should be aware of. Ensure you provide least-privilege API tokens and avoid using highly-privileged or shared organization-wide tokens.
Persistence & Privilege
The skill writes to and reads from a workspace directory it creates (config.json, state.json, programs/*, meetings/*, risks/*, dependencies/*). It does not request always:true or modify other skills; workspace persistence and file writes are normal for this type of tool. Review files it creates and their locations before running.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tpm-copilot - After installation, invoke the skill by name or use
/tpm-copilot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: status reports, risk radar, meeting prep, dependency tracking, dashboards
Metadata
Frequently Asked Questions
What is TPM Copilot?
AI-powered operating system for Technical Program Managers and Project Managers. Pulls data from Jira, Linear, GitHub, and calendars to auto-generate status... It is an AI Agent Skill for Claude Code / OpenClaw, with 583 downloads so far.
How do I install TPM Copilot?
Run "/install tpm-copilot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TPM Copilot free?
Yes, TPM Copilot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does TPM Copilot support?
TPM Copilot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TPM Copilot?
It is built and maintained by Tyler Hill (@reighlan); the current version is v1.0.0.
More Skills