pm-requirement-review-simulator

Security checks across malware telemetry and agentic risk

Overview

This skill is a PRD review and scoring helper; the concerns found are documentation consistency issues, not hidden or dangerous behavior.

This skill is reasonable to install if you want advisory PRD review reports. Treat its scores as guidance rather than authoritative until the scoring-rule conflicts and stale reference are cleaned up, and avoid relying on generated HTML as a final legal, financial, or launch decision without human review.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document gives two incompatible rules for missing information in user-owned PRDs: one section says missing items should receive a conservative 6-point score, while the enforced sub-item rubric later says fully missing sub-items must score 0. This creates nondeterministic behavior in the scoring engine, allowing the same PRD to be graded differently depending on which rule an agent follows, undermining reliability and making the output manipulable.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The consistency-check logic depends on a referenced '评分标准区间参照' section that is no longer actually present as an active scoring basis. This stale cross-reference can cause implementers to guess the intended standard or invent one, reducing determinism and increasing the chance of inconsistent or arbitrary results.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal