Software Manager Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: software-manager-skill Version: 2.2.0 The skill bundle provides a product management workflow, including PRD generation and H5 prototyping. It includes a Python script (prd_export.py) and a Node.js script (mermaid_render_multi.js) that utilize system-level execution (subprocess.run, execSync) and registry queries to locate browsers and render Mermaid diagrams. While these capabilities are plausibly necessary for the stated functionality, the use of shell execution and broad filesystem path searching across multiple platforms (Windows, macOS, Linux, WSL) constitutes a high-risk capability according to the analysis threshold. No evidence of intentional malice, data exfiltration, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may search externally, read the skill’s local reference files, and write generated PRD/prototype files when you provide a path.
The skill explicitly directs the agent to use browsing/search, local read/search, and file-write tools. These are aligned with research and PRD export, but they are real tool actions the user should notice.
使用 `WebFetch` 工具获取官方文档,或用 `Grep`/`Read` 工具搜索本地参考文档。 ... 用户指定路径后,使用 Write 工具保存文件
Provide only the information you are comfortable searching externally, and review the save path before allowing file writes.
Using the full export/rendering features may require installing additional Node/Python packages from package registries.
The skill relies on unpinned external packages for Mermaid rendering and Word export, while the registry-level install spec is absent. This is purpose-aligned but should be clearer before installation.
required_npm_packages: - "@mermaid-js/mermaid-cli" # npm install -g @mermaid-js/mermaid-cli required_python_packages: - python-docx
Install dependencies from trusted registries, consider pinning versions, and verify that global npm installs are acceptable in your environment.
Running the renderer can execute a local shell command for browser discovery.
The Mermaid renderer uses Node child_process shell execution to query the Windows registry for a browser path. The documented purpose mentions automatic browser detection, so this appears expected, but it is still local command execution.
const out = execSync(`reg query "${key}" /v Path`, { encoding: 'utf8', timeout: 5000 }).trim();Only run the renderer in a trusted project environment, and review the script if you are concerned about local command execution.
Product ideas, competitor names, or business details you provide could be included in external search queries.
The skill’s normal workflow sends research queries to a system-selected network search provider. This is disclosed and useful for market/competitor research, but the provider and data boundary are not specified.
流程:确认需求 → 提问澄清 → 网络搜索 + RAG搜索 ... 搜索策略:优先使用环境中最可靠的网络搜索工具(由系统自动选择)
Avoid sharing confidential roadmap, customer, or proprietary strategy details unless you are comfortable with them being used in external searches.