Security audit

PRD for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only PRD writing skill with no code, install scripts, credential handling, or hidden execution behavior.

Safe to install as a document-generation skill. Review generated PRDs and especially any CLAUDE.md or AGENTS.md companion files before letting another coding agent follow them, because assumptions in those files can shape later implementation work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The activation guidance says to use the skill whenever the user asks to "spec a feature," says "spec this out," "create a build plan," or shares a raw idea dump and wants something an agent can build from. Several of these phrases are common and context-dependent, and the file does not provide negative examples or tighter scope boundaries to distinguish PRD requests from ordinary planning or brainstorming.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.