PIV - Plan Implement Validate

PIV workflow orchestrator - Plan, Implement, Validate loop for systematic multi-phase software development. Use when building features phase-by-phase with PRPs, automated validation loops, or multi-agent orchestration. Supports PRD creation, PRP generation, codebase analysis, and iterative execution with validation.

This skill appears to be a coherent PIV orchestrator, but verify a few things before use: 1) Provenance: metadata references a GitHub repo (SmokeAlot420/ftw) but the skill source/homepage fields are otherwise unknown — confirm the author and source before trusting it. 2) sessions_spawn behavior: the orchestration relies on a sessions_spawn tool to create fresh sub-agent sessions. Confirm your platform provides this tool and that its permissions/behavior are what you expect (spawning sub-agents may expand attack surface). 3) Repository safety: the skill instructs agents to read the codebase and config files. Remove or isolate any secrets (.env, config with credentials) from the repo before running, or run the skill against a sanitized/isolated test copy. 4) Tool availability: SKILL.md references other CLIs (tree, gh, linters, test runners). Only git is declared required — missing tools will be reported by the agents, but expect differences in behavior if tools are unavailable. 5) Commit behavior: the workflow will create commits and uses a hardcoded commit message that points to an external GitHub URL — if you don't want that trace, plan to change the commit step. 6) If you need higher assurance: request the skill's source or repository, or run it in a disposable/test repository first to observe behavior. Given the mixture of mostly coherent behavior plus provenance and operational assumptions, I rate this as suspicious (medium confidence). If you can confirm the homepage/source and sessions_spawn semantics, the assessment could be upgraded to benign.

Type: OpenClaw Skill Name: piv Version: 1.1.0 This skill bundle is classified as suspicious due to its extensive use of high-risk capabilities, including arbitrary shell command execution, broad file system access, and network interaction via web search and `gh` CLI. While these capabilities are plausibly needed for a software development workflow agent, they present a significant attack surface. Specifically, `SKILL.md`, `prp_base.md`, `execute-prp.md`, `generate-prp.md`, `piv-debugger.md`, `piv-executor.md`, and `piv-validator.md` instruct the agent to run various project-defined commands (e.g., build, test, lint) and interact with GitHub via `gh` CLI, which could be leveraged for malicious purposes if the agent processes untrusted input (e.g., a malicious PRP or project configuration).