Back to skill
Skillv1.0.0
ClawScan security
Cursor Prd Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 1:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description, runtime instructions, and requirements are internally consistent: it is an instruction-only PRD/rule-generator that asks clarifying questions and emits two Markdown fragments, and it requests no installs, binaries, or credentials.
- Guidance
- This skill appears coherent and low-risk. Before installing: (1) try it on a trivial single-feature prompt to validate outputs; (2) review generated FEATURE_SPEC.md and .cursor/rules before pasting into any repo or CI to ensure no accidental disclosure or unwanted instructions; (3) note it will follow its clarifying-question flow — be prepared to answer the three required questions for each feature. No credentials or installs are requested.
Review Dimensions
- Purpose & Capability
- okName/description (generate PRD and Cursor rules) aligns with SKILL.md: the instructions only cover receiving a short requirement, asking three clarifying questions, and producing FEATURE_SPEC.md and .cursor/rules fragments. There are no unrelated environment or binary requirements.
- Instruction Scope
- okSKILL.md confines runtime actions to asking the user three sequential clarifying questions, performing a scope check, and generating the two files merged with a separator. It does not instruct reading system files, environment variables, or sending data to external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk install model and matches the skill's stated functionality.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. Requested access is proportionate (none) to the described behavior.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system changes or modify other skills' configs. It is user-invocable and can be invoked autonomously per platform defaults, which is expected.