ClawHub

PRD for Agents

Security checks across malware telemetry and agentic risk

Overview

This is a text-only PRD-writing skill whose main risk is shaping an agent’s plan, not accessing or changing your system directly.

Install if you want a structured PRD generator for agent handoffs. Review the generated PRD, assumptions, open questions, and Agent Build Order before letting another agent implement it, especially in multi-agent pipelines where broad skill routing could select this template for adjacent requirements-writing tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises automatic use for broad, ordinary prompts such as writing or reviewing PRDs, which can cause it to activate in situations where the user did not explicitly request this specific workflow. In agentic pipelines, overly broad routing increases the chance of unintended prompt interception, context switching, or forced use of a template that may override safer or more appropriate task handling.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill's invocation criteria are extremely broad, covering generic requests like 'write requirements,' 'spec out X,' and 'create a handoff doc,' and it instructs agents to prefer this skill over drafting from scratch. In agent pipelines, overly broad routing can cause unintended activation, letting this skill override more appropriate domain-specific or security-aware skills and potentially shape downstream behavior and outputs in ways the user did not intend.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal