ClawHub

Cursor Prd Generator

Security checks across malware telemetry and agentic risk

Overview

This is a PRD-generation skill whose file, network, and credential use are disclosed and aligned with creating prototypes and publishing PRDs, though users should watch its broad triggers and Chinese-only default output.

Install this if you want a Chinese PRD/prototype workflow that can write project files and optionally publish to iWiki. Configure TAI_PAT_TOKEN only if you intend to publish, review the generated files before upload, and be aware that generic PRD or publish/upload wording may activate the skill unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match common requests like '帮我写 PRD' or '我想做一个功能', which can cause the skill to activate in contexts the user did not intend. Because this skill imposes a fixed workflow and generates downstream Cursor rule content, accidental invocation can steer user interactions, override expected behavior, or inject unintended project artifacts.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill mandates Simplified Chinese output regardless of the user's language preference, which is a form of instruction override and can degrade correctness, usability, and user control. In a multi-language environment, this may cause misunderstanding of requirements or unexpected content generation, especially when the produced files are copied directly into development workflows.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal