ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Write A Prd

v0.1.3

Create a PRD through user interview, codebase exploration, and module design, then submit as a GitHub issue. Use when user wants to write a PRD, create a pro...

0· 225·3 current·3 all-time
by@liuhe12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose includes 'explore the repo' and 'submit as a GitHub issue', but the skill metadata requests no repository access, no GitHub token, and no config paths. Submitting a GitHub issue and interacting with a repository normally requires credentials or explicit access; that requirement is missing from the declared footprint.
!
Instruction Scope
SKILL.md explicitly instructs the agent to 'explore the repo to verify their assertions' and to submit the PRD as a GitHub issue. It does not specify how repo exploration should occur (local filesystem vs. API), does not limit which files or paths to read, and gives no guidance on how to authenticate to GitHub. This leaves open how the agent will obtain or use repository contents and where the PRD will be transmitted.
Install Mechanism
This is an instruction-only skill with no install spec, no downloaded code, and no binaries requested. That minimizes installation risk.
!
Credentials
No environment variables, tokens, or config paths are declared, yet the runtime behavior implies the need for at least a GitHub token (or write access via some connector) and access to the repository contents. The absence of declared credentials is disproportionate to the actions expected.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not include installation steps that modify agent configuration. No privilege escalation is indicated.
What to consider before installing
This skill's instructions expect access to your codebase and the ability to create a GitHub issue, but it doesn't declare or request the credentials needed to do that. Before installing or invoking it, confirm: (1) how the agent will access your repository (is the repo already mounted/visible to the agent?), (2) whether you'll need to provide a GitHub token — if so, supply a minimal-scope token (repo:issues or equivalent) rather than a full personal access token, (3) avoid sharing secrets or broad-scoped tokens; prefer manual posting of the final PRD if you don't want to grant API access, and (4) ask the skill author to update the metadata/SKILL.md to explicitly state required auth, scopes, and which repository paths the skill will read. These steps reduce the risk of unintended exposure of repository data or over-permissive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fjsn52g1vnqg2kdrxax6g6d836y2k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments