← 返回 Skills 市场
TPM Copilot
作者
Tyler Hill
· GitHub ↗
· v1.0.0
583
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tpm-copilot
功能描述
AI-powered operating system for Technical Program Managers and Project Managers. Pulls data from Jira, Linear, GitHub, and calendars to auto-generate status...
安全使用建议
This package is internally consistent with its claimed purpose, but you should: (1) review and place API credentials deliberately — use least-privilege tokens (e.g., project-scoped Jira tokens, machine/service accounts where possible), (2) inspect the generated workspace ($HOME/.openclaw/workspace/tpm by default) and config.json before running, (3) be aware scripts can create Jira issues and post to Slack/email — test with a sandbox project/webhook first, (4) avoid supplying org-wide admin tokens: prefer individual or service-account tokens with limited scopes, (5) verify gh CLI is authenticated to the correct GitHub account and test gh commands manually, and (6) if you need the registry to reflect required env vars, ask the publisher to update metadata so automated permission checks can be accurate.
功能分析
Type: OpenClaw Skill
Name: tpm-copilot
Version: 1.0.0
The skill is classified as suspicious due to critical vulnerabilities that could lead to remote code execution (RCE) and arbitrary file system manipulation. Specifically, `scripts/add-program.sh` is vulnerable to path traversal and command injection via the `--name` argument, allowing an attacker to create files/directories outside the intended workspace or execute arbitrary commands. Furthermore, `scripts/risk-radar.sh` and `scripts/status-report.sh` execute `gh` CLI commands using `subprocess.run` where the `--repo` argument is sourced from `programs/<name>/config.json`. If an attacker can manipulate this configuration file (potentially by exploiting the `add-program.sh` vulnerability), they could inject shell commands into the `repo` field, leading to RCE. The skill also handles sensitive API keys (Jira, Linear, GitHub, Slack, Resend), making it a high-value target if these vulnerabilities are exploited.
能力评估
Purpose & Capability
The name/description align with the included scripts: they query Jira, Linear, GitHub (via gh or token), parse meeting notes, build reports, track risks/dependencies and optionally post to Slack or email. Required tools and data sources mentioned in SKILL.md are appropriate for a TPM/PM automation tool.
Instruction Scope
Runtime instructions and scripts read and write the user's TPM workspace (default: $HOME/.openclaw/workspace/tpm), process meeting notes, and call external APIs (Jira, Linear, GitHub via gh, Slack webhook, possible email providers). That scope is expected given the purpose, but the skill will attempt network calls and create tickets/alerts when configured — confirm you want those actions. Also, SKILL.md and scripts reference environment variables and config paths that were not declared in the registry metadata (see environment_proportionality).
Install Mechanism
There is no install spec (instruction-only), and included scripts are executed in-place. The scripts prompt the user to install 'requests' and require the 'gh' CLI for GitHub operations; no remote downloads or obscure installers are used in the provided files.
Credentials
The skill expects multiple credentials and configuration: JIRA_BASE_URL/JIRA_EMAIL/JIRA_API_TOKEN, LINEAR_API_KEY, GITHUB_TOKEN or gh CLI auth, SLACK_WEBHOOK_URL, calendar/email API keys, and program-specific config.json files. Those credentials are proportionate to the described integrations, but the registry metadata lists no required env vars — the omission is a mismatch you should be aware of. Ensure you provide least-privilege API tokens and avoid using highly-privileged or shared organization-wide tokens.
Persistence & Privilege
The skill writes to and reads from a workspace directory it creates (config.json, state.json, programs/*, meetings/*, risks/*, dependencies/*). It does not request always:true or modify other skills; workspace persistence and file writes are normal for this type of tool. Review files it creates and their locations before running.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tpm-copilot - 安装完成后,直接呼叫该 Skill 的名称或使用
/tpm-copilot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: status reports, risk radar, meeting prep, dependency tracking, dashboards
元数据
常见问题
TPM Copilot 是什么?
AI-powered operating system for Technical Program Managers and Project Managers. Pulls data from Jira, Linear, GitHub, and calendars to auto-generate status... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 583 次。
如何安装 TPM Copilot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tpm-copilot」即可一键安装,无需额外配置。
TPM Copilot 是免费的吗?
是的,TPM Copilot 完全免费(开源免费),可自由下载、安装和使用。
TPM Copilot 支持哪些平台?
TPM Copilot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TPM Copilot?
由 Tyler Hill(@reighlan)开发并维护,当前版本 v1.0.0。
推荐 Skills