ClawHub
Back to skill
v1.0.2

PRD-review

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:04 AM.

Analysis

This skill appears coherent and benign: it reviews user-provided PRD documents using a local parser and checklist, with no evidence of network access, credential use, persistence, or hidden behavior.

GuidanceThis skill looks safe to install if you are comfortable having the agent analyze the PRD content you provide. Because PRDs can contain sensitive business plans, only upload or reference files intended for review, and install any Python dependencies from trusted sources.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
python scripts/doc_parser.py <文档路径>

The skill explicitly tells the agent to run a bundled local Python parser on a document path. This is purpose-aligned and the included script only parses local document text, but users should ensure the path is the intended PRD file.

User impactThe agent may read and process the contents of local PRD files that the user provides.
RecommendationUse the skill only with documents you intend to have analyzed, and avoid pointing it at unrelated local files.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
dependency:\n  python:\n    - python-docx==1.1.0\n    - PyPDF2==3.0.1

The parser depends on pinned Python packages, while the provided install specification says there is no install spec. This is not suspicious, but users may need to manage these dependencies manually.

User impactIf the required packages are missing, parsing Word or PDF files may fail until the dependencies are installed.
RecommendationInstall dependencies only from trusted package sources and keep the pinned versions unless you have a reason to change them.