Code To Prd
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate local documentation generator, but it should be run only on codebases you are comfortable having summarized into PRD files.
Before installing or running, confirm you trust the package source, run it only against codebases you are authorized to document, and review the generated PRD/analysis files before sharing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read and summarize a local codebase and create files in the selected output directory.
The skill expects running included local scripts over a user-chosen project path and writing output files. This is central to its purpose, but users should ensure the path and output directory are intended.
python3 scripts/codebase_analyzer.py /path/to/project -o analysis.json python3 scripts/prd_scaffolder.py analysis.json -o prd/ -n "My App"
Run it only on intended project folders and direct output to a safe, preferably empty PRD directory.
Generated documents may expose internal product design, API structure, and model details if shared broadly or reused in later agent sessions.
The generated PRD is intended to preserve detailed summaries of the codebase. That is purpose-aligned, but the output may contain sensitive architecture, API, permission, and business-logic information.
produce business-readable documentation detailed enough for engineers or AI agents to fully reconstruct every page and endpoint
Review generated files before sharing them, keep them in an appropriate repository/location, and avoid running on code you are not authorized to analyze.
Users have less upstream provenance information to rely on when deciding whether to run the included scripts.
The registry metadata does not provide a clear source or homepage, while the skill includes runnable helper scripts. This is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Inspect the included scripts and prefer obtaining the skill from a trusted repository or verified publisher when possible.