Security audit

产品经理PRD工具

Security checks across malware telemetry and agentic risk

Overview

This is a PRD-writing assistant that creates or updates local Markdown PRD files, with no hidden code, network use, credentials, or install-time behavior.

Install this if you want an agent to create and update PRD Markdown files. Before using clarify or extend mode, make sure the path points to the intended PRD and keep a backup for important documents, since the skill is designed to save edits directly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: 该技能会默认在工作目录创建文件，并在澄清/扩展模式中直接改写现有 PRD，但说明中未要求在写入前向用户进行显式确认。这会造成意外文件创建、覆盖邻近文件工作流、或在用户仅期望“预览内容”时发生持久化修改；在具备文件系统访问能力的代理环境中，这属于真实的完整性风险。

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.