Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PRD-Writer
v2.0.0基于三阶段工作流与 MoSCoW 优先级,生成结构化产品需求文档(PRD),支持从零撰写、优化和文档转PRD。
⭐ 0· 67·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included PRD templates align with the stated goal (generate/optimize PRDs using a 3‑stage workflow and MoSCoW). Nothing else in the bundle (no binaries, no extra libraries) appears disproportionate. However, SKILL.md explicitly mentions a 'feishu_fetch_doc' action to read Feishu documents but the skill declares no Feishu-related credentials, config paths, or environment variables — this mismatch is unexplained.
Instruction Scope
Instructions focus on asking questions, structuring content, applying MoSCoW and Given/When/Then formats, and producing the PRD. They do not instruct reading arbitrary local files or system state. The only external data access referenced is feishu_fetch_doc for Mode C, which is appropriate for a document-import feature but expands the skill's runtime scope to fetch user-hosted docs. The SKILL.md does not state how fetched document contents are handled, stored, or transmitted.
Install Mechanism
No install spec and no code files to execute — the skill is instruction-only and therefore has a minimal on-disk footprint and low install risk.
Credentials
The skill declares no required environment variables or primary credential (good minimization). Yet it expects to call feishu_fetch_doc to read Feishu documents. If reading Feishu docs requires OAuth tokens or API keys, those credentials are not declared. That discrepancy could be benign (platform provides a connector automatically) or could hide missing permission/consent requirements; the absence of declared credentials reduces transparency.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request persistent system privileges or modify other skills. Autonomous invocation is permitted (platform default) but not combined with any anomalous privileges in this package.
What to consider before installing
This skill appears to do what it says: guide you through collecting requirements and generating PRDs using included Chinese/English templates. Before installing or using it, confirm how it will access external documents: SKILL.md references feishu_fetch_doc (fetching Feishu docs) but the package declares no Feishu credentials or config. Ask the provider or platform: (1) will the agent prompt you to grant access to your Feishu account, or does the platform supply a Feishu connector? (2) where will fetched document contents be stored or sent? Avoid pasting or linking highly sensitive documents until you understand the connector and consent flow. If you don't want any external fetches, use Mode A (manual input) or remove/disable the document-import step. Finally, because the skill's source/homepage are unknown, prefer using it only with non-sensitive examples until you verify provenance and connector behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk973p443xbj8mr8ddzqwe45xex83twnw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.