Is prd safe?

https://clawhub.ai/bjesuiter/prd

85
SAFE

The PRD skill is a benign documentation-only skill that provides templates and workflows for creating Product Requirements Documents. It contains no executable code, makes no network connections, and did not access canary files. The primary risk is behavioral: its reference documentation promotes running AI agents in fully autonomous loops with --dangerously-skip-permissions, and the workflow pattern creates an indirect attack surface where a poisoned prd.json could be used to execute arbitrary instructions through an unattended agent.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Promotes --dangerously-skip-permissions flag usage -15

The agent-usage.md reference explicitly shows running Claude Code with --dangerously-skip-permissions in an infinite while loop. This bypasses all user confirmation prompts, meaning any instruction in prd.json would be executed without human oversight. While this is documented as a usage pattern rather than an injected instruction, it normalizes a dangerous practice.

LOW Autonomous agent persona instructions in reference docs -7

The agent-usage.md and output-patterns.md files contain prompt templates that instruct the agent to behave as an 'autonomous coding agent' that reads tasks, implements them, commits code, and modifies project files without human review. These are reference documents (not the main SKILL.md), but they could influence agent behavior if the agent reads the references/ directory.

LOW Indirect attack surface via poisoned prd.json -15

The skill's workflow pattern creates an indirect attack vector: if an attacker can place a malicious prd.json in a project (via PR, shared repo, or social engineering), the autonomous execution loop would carry out the attacker's instructions as acceptance criteria. The skill does not validate or sanitize prd.json contents.

INFO Platform runtime reads sensitive files during install -15

The filesystem monitor recorded reads of .env, .aws/credentials, .bashrc, and .profile during installation. These reads are attributable to the openclaw platform runtime (gateway lock file, agent config loading) rather than the skill itself, as the skill contains no executable code. However, users should be aware the platform accesses these files.

INFO No executable code in skill 0

The skill consists entirely of markdown documentation files, JSON metadata, and template examples. No executable code, scripts, hooks, or submodules are present.

INFO External links are documentation references only -5

The skill references external URLs (github.com/snarktank/ralph, github.com/anthropics/claude-code, ampcode.com, aihero.dev) purely as documentation links for further reading. None are fetched, loaded, or executed by the skill.