prd-design
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening the generated prototype may contact third-party CDNs and execute those browser libraries.
Generated/opened prototypes rely on external CDN-hosted React, Babel, and Tailwind scripts. This is normal for a lightweight prototype template, but it means the prototype depends on third-party script sources.
<script crossorigin src="https://unpkg.com/react@18/umd/react.production.min.js"></script> ... <script src="https://cdn.tailwindcss.com"></script>
Use the CDN version only if acceptable for your environment, or replace the scripts with locally reviewed copies for sensitive or offline work.
The workflow may require Node.js locally and may fail or need adjustment if Node is unavailable.
The workflow may invoke a local Node.js syntax-check command against generated JavaScript. This is proportionate for validating an HTML prototype, and the artifact does not instruct running arbitrary downloaded code.
用 `node --check` 验证语法,returncode≠0 时**禁止保存输出,必须先修复**。
Run this in a normal project workspace, review generated prototype code if it contains sensitive content, and consider declaring Node as a requirement if this validation is mandatory.
Internal screenshots, schemas, or documents provided to the workflow may persist in generated project folders and outputs.
The skill stores user-provided screenshots and derived project materials in local project files. This is expected for product-design work, but those files may contain internal business or system details.
如果用户上传截图: - 保存截图到 `project/03-modify/screenshots/` - 在文档中引用截图路径
Provide only materials you are allowed to include, remove secrets or customer data from screenshots/DDL before sharing, and clean up the generated project folder when no longer needed.