Back to skill
Skillv1.0.3
ClawScan security
PRD Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and resource usage are consistent with a PRD (product requirements document) generator and do not request unrelated credentials, installs, or system access.
- Guidance
- This skill appears internally consistent and self-contained: it only uses the included PRD templates and UX guidance and does not request secrets or install external code. Two practical notes before installing: (1) the skill's source/homepage is missing—if provenance matters to you, prefer skills from known publishers or inspect bundled files yourself; (2) the allowed-tools list includes 'bash' and file-creation tools — if your agent platform grants real shell access to skills, consider restricting tooling (or confirming the platform sandbox) to prevent undesired shell execution. Otherwise this skill looks appropriate for drafting and reviewing PRDs.
Review Dimensions
- Purpose & Capability
- okName/description (PRD generator) match the provided assets (PRD template, UX guidelines, user-journey example) and the SKILL.md instructions. No unrelated environment variables, binaries, or external services are required.
- Instruction Scope
- okRuntime instructions are limited to reading the included reference files and interacting with the user through a defined multi‑round question/answer and drafting flow. The SKILL.md does not instruct the agent to read arbitrary system files, environment variables, or contact external endpoints beyond standard behavior for an instruction-only skill.
- Install Mechanism
- okThere is no install spec and no code files to execute. All referenced resources are shipped in the skill bundle (templates and guidance), so nothing is downloaded or extracted at install time.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The included assets and instructions are self-contained and appropriate for the stated purpose.
- Persistence & Privilege
- okSkill is not forced-always-on (always: false) and requests no elevated privileges or cross-skill configuration changes. Autonomous invocation is allowed (platform default) but not combined with other red flags.