Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Prd Skill Workflow2
v1.0.0全栈PRD协作工作流。与用户共同探讨,产出可供开发、设计、测试、运营、项目经理使用的完整PRD文档。 协作流程共10步,输出PRD包含14个章节(项目概述、市场分析、需求列表、信息架构、用户流程、原型设计、UI规范、功能规格、数据模型、技术方案、非功能需求、测试方案、数据埋点、运营方案、项目计划)。 当用户说"帮...
⭐ 0· 83·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (full-stack PRD workflow) match the repository contents: prompts, templates, example PRDs, build and PDF generation scripts, and helper scripts for init/validate/score. Nothing in the manifest asks for unrelated cloud credentials or system-level access that would contradict the PRD-generation purpose.
Instruction Scope
SKILL.md and the prompts restrict the agent to conversational PRD authoring, stepwise prompts, and template-based output generation. The runtime instructions and prompts do not instruct reading arbitrary system secrets or contacting external endpoints beyond generating document outputs. The included scripts do perform local file reads/writes (merging fragments, building outputs) which are coherent with producing PRD artifacts.
Install Mechanism
The skill is instruction-only for the platform (no platform install spec), but it contains a Node project (package.json) with a dependency on Playwright. Running the repository locally requires 'npm install' and 'npx playwright install chromium' (Playwright will download a browser binary). That download and any npm install should be run only in environments where you trust the code; otherwise the skill itself doesn't force-install on the agent.
Credentials
No environment variables, credentials, or config paths are declared or required by the skill. The repository does include templates and scripts that read and write local files (templates-config, output files), which is appropriate for a document-generation tool and proportionate to the stated purpose.
Persistence & Privilege
The skill does not request permanent/always-on inclusion (always:false) and does not declare elevated privileges. Scripts can modify files within the project (init-custom-config, update/build scripts) which is expected for a local project scaffolder; nothing indicates it attempts to modify other skills or global agent settings.
Assessment
This repository appears to implement what it claims: a conversational, template-driven PRD workflow with example outputs and local build scripts. If you plan to run it locally: 1) Inspect shell and node scripts (scripts/*.js, templates/*.sh, templates/update.sh) before running — they will read/write files and may run other commands. 2) Be aware npm install will fetch dependencies (Playwright is included) and 'npx playwright install chromium' downloads a browser binary; only run these in a trusted or sandboxed environment. 3) There is no request for secrets or external API keys in the skill, but local scripts can overwrite templates-config via init-custom-config — back up any important files first. 4) Minor inconsistency: some README/package.json commands reference update.js at the repo root while an update script exists under templates/; verify script paths before running update commands. Overall the package is internally consistent with its stated purpose; proceed after reviewing the scripts if you will execute them.templates/update.js:298
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97d9zckbwghpy32kmhynfytwn83gwec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.