ClawHub

Prd Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a PRD workflow, but it also mutates the host during install and ships unrelated internal-login automation with hardcoded credentials, so it needs review before installation.

Review before installing, especially in a work or sensitive environment. Remove or disable the postinstall hook, delete and rotate the hardcoded internal credentials, constrain output paths, replace shell-string and AppleScript path handling with safe argument APIs, and update the documentation to clearly disclose CDN/API use, browser automation, local storage paths, subagent use, and cleanup behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (60)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# 自动打开
    if args.open:
        print(f"\n🌐 打开 HTML...")
        os.system(f"open {html_path}")
    
    # 完成总结
    print("\n" + "=" * 60)
Confidence
97% confidence
Finding
os.system(f"open {html_path}")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tell application "Safari" to close window 1
    '''

    result = subprocess.run(
        ['osascript', '-e', script],
        capture_output=True,
        text=True,
Confidence
97% confidence
Finding
result = subprocess.run( ['osascript', '-e', script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"   命令:{' '.join(cmd)}")
    
    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
89% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, env=env, timeout=300 # 5 分钟超时 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises substantial capabilities such as file read/write, shell, network, and environment access but does not declare permissions. That deprives users and the platform of informed consent and policy enforcement, especially because the documented workflow includes filesystem writes, module loading, and CDN/network usage.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior exceeds the stated PRD-only purpose by including prototype generation, design-system persistence, rollback, rendering, and other operational behaviors. Description-behavior mismatch is dangerous because users may invoke the skill expecting document generation while it performs broader filesystem, automation, and potentially networked actions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security section claims there are no external API calls and only local execution, yet the prototype explicitly requires Chart.js from a public CDN. This contradiction can mislead users into trusting the skill in restricted or sensitive environments while it introduces external network dependency, supply-chain risk, and metadata leakage.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document says the skill only operates in the workspace and has no system file access, but the interview phase writes to ~/.openclaw/workspace/output/... in the user's home directory. Misrepresenting write scope is dangerous because it can bypass user expectations about data locality, persistence, and privacy.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The postinstall script automatically installs a global package (@mermaid-js/mermaid-cli) as a required dependency during installation, which modifies the user's system outside the project directory. Automatically performing global/system-level installs from a package hook is dangerous because it executes privileged package-manager actions at install time without explicit upfront consent and can surprise users or CI environments.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script includes Playwright as an optional fallback and installs it globally, then downloads a Chromium browser via `npx playwright install chromium`. Browser automation tooling is powerful and heavyweight; introducing it from a postinstall path increases attack surface and causes unexpected runtime/tooling changes that are not essential to basic package installation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README documents a completely different skill (an HTML prototype generator) than the declared PRD workflow skill, which strongly indicates a skill-packaging or supply-chain integrity problem. This mismatch can mislead reviewers and users about what code and behavior they are installing, reducing trust boundaries and making it easier to hide unexpected functionality in the skill bundle.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file belongs to a PRD workflow skill but contains automation for logging into and analyzing an internal asset-management platform. This mismatch materially increases risk because users invoking a documentation workflow would not reasonably expect live system access, credential use, or data collection from an internal business application.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code authenticates to a live internal system using embedded credentials and then navigates the application. In the context of a PRD workflow skill, this is unjustified privileged access and can expose sensitive business data, enable unauthorized reconnaissance, and normalize hidden access paths inside an agent capability.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script captures screenshots of authenticated internal pages and stores them locally on the Desktop. Screenshots can contain confidential operational data, identifiers, and other sensitive content, and saving them to an uncontrolled local path increases risk of unintended disclosure or persistence beyond the task.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring frames the script as a benign analysis/reporting tool, while the implementation performs live login, navigation, testing, and screenshot collection against an internal platform. This misleading description reduces transparency and can cause operators or reviewers to underestimate the skill's real capabilities and data-access behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This finding reflects the same unsafe behavior: the prototype generator automatically opens a generated file by executing a shell command. While opening a local file is not inherently malicious, implementing it through shell execution creates a real attack surface if an attacker can influence the generated path or filename. The skill context does not justify shell usage here, so the behavior remains risky.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a reviewer, but this section explicitly adds 'AI 自动修补' and '自动更新 PRD' behavior, which changes user content rather than only analyzing it. That mismatch is dangerous because users may invoke a supposedly read-only review skill and unintentionally permit content modification, causing integrity loss, unwanted edits, or propagation of incorrect AI-generated requirements.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation introduces an AI-backed '内容检查层' and CLI/API usage with an API key, but the top-level skill description does not clearly disclose that document content may be sent to an external model or service. This creates a data exposure risk because users may submit sensitive PRDs under the assumption that processing is local, especially given the business and financial use cases described elsewhere in the skill.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The module documentation claims it 'only returns a task list' and does not execute AI checks, but the implementation embeds substantial source PRD content into each returned task. In an agent workflow, this mismatch can cause downstream components or users to treat the output as low-sensitivity metadata when it actually contains potentially confidential document content, increasing the risk of unintended disclosure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Although marked deprecated, this module still loads API credentials from environment variables and a user home-directory config file, then uses them for live model calls. In a PRD-review skill, that means potentially sensitive requirement text can be transmitted off-host without strong runtime controls, and stale backup code can be invoked accidentally or reused unsafely.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file claims it is deprecated and no longer used, but still contains fully functional AI-calling and content-generation logic. This mismatch is dangerous because reviewers or maintainers may treat it as inert backup code while it still exposes networked processing paths for potentially sensitive PRD content.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The file’s implementation materially diverges from the declared skill purpose: instead of PRD workflow logic, it provides a BM25-backed UI/UX CSV search engine. In an agent skill ecosystem, this kind of capability mismatch is dangerous because it can hide undeclared functionality from reviewers, break least-privilege assumptions, and cause the agent to invoke behavior users and orchestrators did not consent to.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The file can create directories and write generated content to disk under a caller-controlled base directory and page/project-derived filenames. In an agent setting, undeclared write capabilities expand the skill's authority and can lead to unintended filesystem modifications, data sprawl, or overwriting user workspace artifacts if invoked without clear consent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file is clearly a UI/UX search and design-system utility, while the declared skill is a PRD workflow tool. This kind of capability mismatch is dangerous because it hides undeclared behavior from users and reviewers, weakening trust boundaries and making it easier to smuggle unrelated functionality into an agent skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script can persist generated design-system files to disk, but this write capability is not reflected in the PRD workflow description. Undisclosed filesystem writes increase risk because agents or users may invoke the skill expecting read-only analysis while it actually creates project artifacts on disk.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
UI/UX style-guide search and design-system generation are not justified by the stated PRD workflow purpose, indicating hidden or unnecessary capability. In agent environments, unjustified extra capabilities expand attack surface and can be abused to exfiltrate context into generated artifacts, create misleading outputs, or perform actions reviewers do not expect from the advertised skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal