requirement-review-simulator
v1.0.0PRD review stress-test simulator: 5 cross-functional roles challenge your requirements across 3 difficulty levels, outputs a scored HTML survival report with...
⭐ 1· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the actual assets and runtime instructions: it's an instruction-only PRD review simulator that uses local reference files and an HTML template to produce reports. No unrelated binaries, cloud creds, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to (a) collect user inputs via a checklist, (b) load local reference docs (scoring engine, playbook, HTML template) and strictly follow deterministic scoring rules, and (c) produce an HTML report in the supplied template. This scope is appropriate for the stated purpose. Caveat: the SKILL.md includes a detected 'unicode-control-chars' prompt-injection signal—review the actual file for invisible control characters that could manipulate prompt parsing or display.
Install Mechanism
No install spec and no code files to execute; instruction-only skill with local resource files. This is low-risk from an installation perspective.
Credentials
The skill requests no environment variables, credentials, or config paths. Requested data is user-provided PRD content and selections (difficulty, type). No disproportionate access is requested.
Persistence & Privilege
always is false and the skill is user-invocable (normal). It does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by default but not combined with other red flags here.
Scan Findings in Context
[unicode-control-chars] unexpected: Prompt-injection pattern (invisible Unicode control characters) was detected inside SKILL.md. This is not required for the simulator's function and could be accidental (copy/paste) or deliberate. Recommend manual inspection of SKILL.md and reference files for stray control chars or hidden instructions before trustfully installing.
Assessment
What to check before you install/use this skill:
- Review the SKILL.md and the three reference files (scoring-engine-deterministic.md, review-playbook.md, report-template-pro.html) yourself — they are the runtime rules; look for any hidden or unexpected instructions, unusual markup, or invisible control characters. The scanner flagged 'unicode-control-chars' in SKILL.md; this often indicates accidental copy/paste but can also be used to hide text or alter prompt parsing.
- The skill uses only local files and templates and does not request credentials or install code, which lowers risk. Nevertheless, avoid pasting highly sensitive proprietary PRD content until you are comfortable with where generated HTML reports are stored or transmitted by your agent environment.
- Confirm the source: claw.json points to a GitHub account, but the top-level metadata listed 'Source: unknown' and homepage was 'none' in the registry summary. If you rely on this skill for sensitive work, prefer skills with a verifiable homepage/repo or inspect the repository yourself.
- Run first uses in a sandbox or with non-sensitive example PRDs to validate outputs and ensure there are no unexpected external network calls or telemetry in your agent runtime.
If you want, I can (1) show the exact lines of SKILL.md around the detected control characters, or (2) produce a checklist to help you manually review the included reference files for anything suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk972j5n125d3r0vwd9drnhe1td844a0e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.