Description-Behavior Mismatch
Medium
- Confidence
- 91% confidence
- Finding
- 该技能表面上是 PRD 撰写/评审工具,但文档明确引入了自动扫描 PlantUML、编译为 PNG、创建目录并回写文档的文件修改能力,能力边界明显超出纯文本生成。对于用户而言,这意味着调用一个写作技能时可能触发本地文件系统写入与内容覆盖,若未充分告知或限制作用域,容易造成意外修改、批量改写或被嵌入式内容滥用。
Security audit
Security checks across malware telemetry and agentic risk
This PRD-writing skill is purpose-aligned, but users should notice that its diagram workflow can create or overwrite local diagram files.
Install if you want a PRD assistant that can also produce diagram artifacts. Keep PRDs under version control, avoid running the referenced local Python helper unless you have inspected it, and be aware that opening the Mermaid HTML template may load code from a CDN.
65/65 vendors flagged this skill as clean.
No suspicious patterns detected.