ClawHub
Back to skill

Security audit

Prd Skill Workflow2

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-first PRD/document-generation workflow with local project scaffolding and PDF tooling, and the reviewed artifacts do not show hidden exfiltration, destructive behavior, or deceptive execution.

Install this only if you want a Chinese-first PRD workflow that scaffolds local files and can generate HTML/PDF output. Run npm, Playwright, build, update, and rollback commands inside a dedicated PRD project directory, update or lock Playwright before use, and treat generated analytics and authentication defaults as review-required templates rather than production-ready security guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad trigger phrases like '帮我写PRD' or '产品需求文档' can cause the skill to activate during ordinary conversation, potentially routing users into a more powerful workflow than intended. In a skill that appears to include build/render/script capabilities, overbroad activation increases the risk of accidental tool use, unwanted file generation, or confusing behavior without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The prompt is entirely written to conduct the interaction in Chinese and does not offer the user a language choice or explain a required locale constraint. This can exclude users, cause misunderstanding of requirements, and create safety/compliance issues if users proceed despite not fully understanding the guidance or outputs.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The prompt is written entirely in Chinese and directs the interaction in Chinese without offering any language selection or documenting that the skill is intentionally limited to Chinese-speaking users. This can exclude or confuse users, lead to incorrect assumptions about user intent, and create reliability and accessibility issues in multilingual environments.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The prompt is entirely written in Chinese and all example interactions assume Chinese output, without offering a language-selection step or documenting that the skill is intentionally limited to Chinese-speaking users. This can cause exclusion, misunderstanding, or incorrect operation for users who invoke the skill in another language, especially in multi-lingual agent environments.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The prompt is entirely written to conduct the interaction in Chinese and does not provide any mechanism to detect or honor the user's preferred language. This can cause misunderstanding, exclusion, or incorrect PRD output when users or downstream collaborators expect another language, which is especially relevant for multi-stakeholder product documentation workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The telemetry schema explicitly instructs collection of persistent identifiers such as user_id, device_id, page_url, and detailed event timestamps, but the prompt only gives a generic note to 'consider privacy' and does not require consent, minimization, retention limits, or compliance review. In a PRD-writing skill, this can propagate privacy-invasive defaults into downstream product specs and implementations, increasing risk of over-collection, cross-session tracking, and regulatory noncompliance.

Vague Triggers

Medium
Confidence
84% confidence
Finding
触发短语如“帮我写PRD”“做完整需求文档”“产品需求文档”较宽泛,容易在普通对话中被误识别为调用该技能,导致代理在未获得明确意图确认时注入大段模板化输出或切换工作流。在代理系统中,误触发会放大上下文污染、错误自动化和非预期任务执行风险,尤其当技能会主导后续多步协作时更明显。

Vague Triggers

Medium
Confidence
93% confidence
Finding
The keyword list includes very broad trigger terms such as 内容, 文章, 视频, 资讯, 新闻, 推荐, and 阅读, which can match many unrelated user requests and cause this skill to activate outside its intended scope. In an agent environment, over-broad activation can hijack user intent, lead to incorrect workflow invocation, and increase exposure of downstream prompt logic or data handling paths.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description is broad enough to match many generic utility scenarios such as calculators, query tools, assistants, and lifestyle helpers. In a trigger-driven skill system, overly general scope can cause the PRD skill to activate for unrelated user intents, leading to prompt hijacking of normal requests and unintended capture or transformation of user tasks into PRD-generation workflows.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The keyword list contains highly generic terms like 助手, 查询, 天气, 日历, and 记账, which overlap with ordinary assistant and consumer-tool requests. This increases the chance that benign everyday queries will incorrectly trigger the skill, expanding its effective attack surface and enabling misrouting or denial of intended agent behavior.

Credential Access

High
Category
Privilege Escalation
Content
<h4>10.4.1 认证授权</h4>
  <ul>
    <li><strong>JWT Token:</strong>包含用户ID、角色、过期时间</li>
    <li><strong>Token有效期:</strong>Access Token 7天,Refresh Token 30天</li>
    <li><strong>权限控制:</strong>RBAC模型,接口级别鉴权</li>
  </ul>
Confidence
85% confidence
Finding
Access Token

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
  "license": "MIT",
  "dependencies": {
    "playwright": "^1.40.0"
  },
  "devDependencies": {},
  "engines": {
Confidence
92% confidence
Finding
"playwright": "^1.40.0"

Known Vulnerable Dependency: playwright==1.40.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
98% confidence
Finding
playwright==1.40.0

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
templates/update.js:298