Skillv0.1.0

ClawScan security

产品经理PRD工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 11:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (reading/writing arbitrary PRD files and creating directories) matches its description, but the runtime instructions lack safeguards around filesystem paths and reference shell operations without declaring required binaries—this creates moderate risk and some incoherence you should review before use.
Guidance: This skill appears to implement the advertised PRD workflows, but it instructs the agent to read and write files and to run shell commands without limiting where it can write. Before installing or running it: - Only pass file paths inside a safe workspace (avoid system paths like /etc, ~/). Prefer relative paths inside a sandboxed project directory. - If possible run the skill first in a disposable workspace and review the produced files before using them elsewhere. - If you expect to run in an environment without a shell, note the SKILL.md references Bash (mkdir -p); confirm the runtime provides a shell or adjust the instructions. - Because the skill can autonomously be invoked by the agent, consider disabling autonomous invocation or restricting when/which prompts can trigger it until you’re comfortable with its behavior. - Ask the author (or edit SKILL.md) to add explicit path-safety rules (e.g., refuse absolute paths, normalize and restrict to ./workspace or ./prds) and an explicit statement that no external network calls are made. If you need lower risk: run the skill manually (not autonomously) and always inspect/backup files the skill will modify.

Review Dimensions

Purpose & Capability: noteName/description (PRD generation/clarify/extend) match the SKILL.md workflows. The actions the skill performs (parse user text, read/write PRD files, ask clarifying questions) are appropriate for a PRD tool. Minor mismatch: instructions call out using Bash (mkdir -p) but the skill declares no required binaries.
Instruction Scope: concernThe SKILL.md instructs the agent to read arbitrary file paths provided via $ARGUMENTS and to create directories and write files to the filesystem (./prds/<name>.md or user-supplied paths). There are no explicit guards restricting writes to the agent workspace or preventing writes to sensitive system paths. The skill will also modify files in place (adding clarifications and sessions). No external network endpoints are referenced. Because file reads/writes are central, lack of path-scope constraints is a security concern.
Install Mechanism: okInstruction-only skill with no install spec or code files—nothing is downloaded or written during install. This is low risk from an installation perspective.
Credentials: okSkill requests no environment variables, credentials, or config paths; this is proportionate to its stated purpose.
Persistence & Privilege: notealways:false (normal). The skill is allowed autonomous invocation (platform default); combined with its file-write behavior this increases impact if the agent invokes it without clear user direction. There is no request to modify other skills or system settings.