ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Prd To Issues

v1.0.0

Break a PRD into independently-grabbable GitHub issues using tracer-bullet vertical slices. Use when user wants to convert a PRD to issues, create implementa...

0· 46·0 current·0 all-time
byEmerson Braun@emersonbraun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to convert a PRD into GitHub issues, and the SKILL.md explicitly instructs running `gh issue view` and `gh issue create`. However, the registry metadata declares no required binaries and no credentials. A coherent skill would declare the gh CLI (or an API token) as required and/or document how authentication should be provided.
Instruction Scope
The runtime instructions stay within the expected scope: locate the PRD (via gh), optionally explore the codebase, draft vertical-slice issues, ask the user to approve, and create issues with `gh issue create`. It does not instruct reading unrelated files or exfiltrating data. It does assume the agent can run gh against the target repository.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That minimizes risk; the primary runtime action is invoking the user's gh CLI.
!
Credentials
The skill requires access to GitHub via `gh` but declares no required env vars or primary credential. In practice `gh` will need a logged-in user or a GH token (GH_TOKEN or gh auth). The absence of declared credentials is an omission that hides the fact that the agent will need permission to create issues in repositories.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. Autonomous invocation (model invocation enabled) is the default platform behavior; the skill could create issues when invoked, but it does not demand elevated platform privileges itself.
What to consider before installing
Before installing: (1) confirm that you are comfortable with the agent running the GitHub CLI (gh) — it will fetch PRD issues and create new issues in your repo. (2) Ask the publisher to update metadata to declare the gh binary and to document required authentication (e.g., GH_TOKEN or gh auth login). (3) Run the skill first in a test repository or with a limited-permission account. (4) If you enable autonomous invocation, be aware the agent could create issues without additional prompts; restrict its GitHub permissions accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bj9v44cng5vtgp5w0ztr08x84deyp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments