ClawHub
Back to skill

Security audit

公司内部系统PRD编写

Security checks across malware telemetry and agentic risk

Overview

This is a document-only Chinese PRD/prototype-writing skill with privacy and localization caveats, but no hidden execution, credential use, or destructive behavior.

Install this only if you want a Chinese-language workflow for designing internal business-system PRDs. Do not paste real payroll records, secrets, or unnecessary employee identifiers into examples, and review any generated tracking plan for data minimization, retention, access controls, and legal/compliance approval before implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill hard-codes the expected user confirmation tokens as Chinese ("确认"/"修改 X") without offering a language-neutral alternative or detecting the user's language. This can create a safety and usability failure mode where users cannot easily confirm, correct, or halt progression, increasing the chance of misunderstanding or accidental workflow dead-ends in a gated multi-step process.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill hard-codes all user-facing prompts and workflow steps in Chinese and does not provide any mechanism to detect, honor, or ask for the user's preferred language. In a multi-user or mixed-language environment, this can degrade usability, cause misunderstanding of requirements, and lead the agent to collect incorrect product inputs or exclude users who cannot effectively respond in Chinese.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tracking plan explicitly includes employee identifiers in analytics events for internal payroll workflows, but the document provides no guidance on minimization, notice, retention, access control, or lawful basis for collecting this telemetry. In the context of a salary/payroll system, employee IDs are linked to highly sensitive HR and compensation actions, so careless instrumentation can create unnecessary privacy exposure and compliance risk even if the system is company-internal.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal