PRD Engine

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only PRD-writing skill; its command examples and broad quick-start phrases are worth using carefully but do not show hidden or malicious behavior.

Safe to install as a PRD-writing helper. Review any generated agent-ready stories before letting an agent run their commands, especially database migration or push commands, and avoid pasting confidential product or business data unless that is acceptable in your agent session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The quick-start examples use very broad natural-language phrases such as 'Write a PRD for [feature name]' and 'Review this PRD and score it', which can plausibly overlap with ordinary user conversation and trigger the skill unintentionally. Because this is a README for a generally useful PRD-writing skill, the context makes accidental invocation more likely rather than less, especially in environments that auto-route based on prompt similarity.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The quick-command phrases are short, generic imperatives such as 'Review this PRD' and 'Track progress', which are likely to overlap with normal user language in broader assistant interactions. If the platform uses phrase-based routing, this can cause unintended invocation of the skill and expose users to the skill's prompt framing when they did not explicitly request it.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal