ClawHub

"AI 产品经理教练。通过引导式对话帮助 PM 完成 AI 产品设计:从痛点分析到 PRD 输出。不替代 PM 决策,而是引导 PM 思考,在关键节点让 PM 做出选择。触发词:AI 产品、产品设计、PRD、能力边界、置信度、幻觉。" metadata:

Security checks across malware telemetry and agentic risk

Overview

This appears to be a product-management coaching skill with only low-impact scope-control concerns around broad activation phrases.

Install if you want an AI product/PRD coaching workflow. Be mindful that broad phrases like product design, PRD, continue, or generate PRD may route normal product discussions into this skill, so use explicit wording when you do or do not want the coaching flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill metadata includes broad trigger terms such as 'AI 产品', '产品设计', and 'PRD', which are common in normal conversation and may cause the subagent to activate outside the user's intended scope. This creates a prompt-scope control issue: the skill can insert its coaching workflow into unrelated product discussions, potentially hijacking conversation flow or causing unintended internal skill chaining.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The usage examples present ordinary phrases like '我想设计一个 AI 产品', '继续', and '生成 PRD' as activation or continuation commands without any namespace or session-binding requirement. In a multi-skill environment, these common phrases can accidentally trigger or steer this subagent, leading to unintended execution of its workflow and possible internal invocation of other wrapped skills.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal