PRD FullStack Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent PRD document-writing skill; the only notable items are optional local build/PDF scripts and a normal third-party dependency.
This skill looks safe for PRD drafting. If you only use the conversational workflow, it does not require credentials or broad system access. If you use the HTML/PDF build features, review and run the local scripts intentionally, keep generated files in a project folder, and install Playwright from a trusted source.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you run the PDF build script, it will execute local Node.js code, launch a browser process, and write generated files.
The skill includes a local PDF-generation script that launches Playwright/Chromium and writes a PDF file. This is expected for the advertised PDF output feature, but it is still local code execution.
const { chromium } = require('playwright'); ... const browser = await chromium.launch(); ... await page.pdf({ path: PDF_FILE, format: 'A4' ... });Run build/PDF scripts only when you need them, from the expected project directory, and without elevated privileges.
Installing dependencies may pull third-party code from the package ecosystem.
PDF generation depends on an external npm package with a semver range. This is disclosed and purpose-aligned, but it introduces standard third-party dependency provenance/update considerations.
"dependencies": { "playwright": "^1.40.0" }Install dependencies from trusted registries and consider using a lockfile or exact pinned dependency version for reproducible installs.