ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

6skill

v1.0.0

Create and manage Product Requirements Documents (PRDs) with structured user stories, acceptance criteria, and task prioritization for feature development.

0· 55·0 current·0 all-time
by@zhao202404
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (create/manage PRDs and structured user stories) align with the provided templates, prd.json format, progress tracking, and agent-run workflows. All declared requirements (no env vars, no binaries) match the instruction-only package.
!
Instruction Scope
The SKILL.md and references instruct agents to read and update repo files, create branches, run checks, commit code, and—critically—show an unattended agentic loop example that repeatedly invokes an agent with the flag `--dangerously-skip-permissions`. That flag explicitly recommends bypassing permission controls and the infinite loop pattern can lead to unattended, repeated changes to a codebase. Recommending permission bypasses and always-on agentic loops is outside the narrow 'PRD authoring' need and is a risky instruction.
Install Mechanism
No install spec and no code files (instruction-only). Nothing will be written or downloaded by the skill itself during install. Low install risk.
Credentials
The skill requests no environment variables, credentials, or config paths. It operates on local repo files (prd.json, progress.txt) which is proportionate to a PRD/agent workflow.
Persistence & Privilege
Skill metadata does not request always-on presence. However, the included agentic loop templates encourage running autonomous agents that repeatedly modify the repository. Autonomous invocation of agents is allowed by platform defaults; the risk here stems from the provided instructions (unattended loop + permission bypass) rather than skill metadata.
What to consider before installing
This skill is coherent for creating PRDs and providing agent-run templates, but it includes a dangerous example: an unattended loop that runs an agent with `--dangerously-skip-permissions`. Before installing or using: (1) Do not run the unattended agentic loop unless you fully trust and sandbox the agent; prefer human-in-the-loop operation. (2) Never use flags or settings that bypass permission checks. (3) Review any generated commits and CI/test outputs before merging. (4) Run agents in isolated clones or worktrees and back up your repo. If the author can clarify why permission bypass is recommended or provide safer agent invocation patterns, the risk would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1am185egtb1sfkfaccfmdd83mbdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments