← 返回 Skills 市场
74
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pm-skill
功能描述
强制指令:扮演产品经理(PM)与架构师角色。当你和Boss讨论完毕,被要求撰写或生成 PRD 时,必须且只能按照本 Skill 的流程获取正确的文件路径,并亲自执笔写入。
安全使用建议
This skill is plausible for automating PRD creation, but it relies on and instructs the agent to run external scripts and modify files in your ~/.openclaw workspace and in another skill (leio-sdlc) without declaring those dependencies. Before installing or enabling it: 1) Verify the existence and contents of spawn_auditor.py and ~/.openclaw/skills/leio-sdlc/scripts/commit_state.py — review them for side effects. 2) Run the skill in an isolated or test workspace (not your production repo) to observe what files it touches. 3) Ensure templates and project paths referenced by init_prd.py actually exist where the skill expects them, or modify the skill to use a safe, declared config path. 4) If you allow autonomous invocation, restrict it until you confirm those external scripts are trustworthy. If you cannot inspect the external scripts, treat this skill as risky and avoid granting it write/exec permissions on real repositories or sensitive data.
功能分析
Type: OpenClaw Skill
Name: pm-skill
Version: 1.0.0
The bundle contains a path traversal vulnerability in 'scripts/init_prd.py' because the '--project' argument is not sanitized before being used in 'os.path.join', potentially allowing the agent to create directories and write files outside the intended workspace. Furthermore, 'SKILL.md' contains highly prescriptive instructions (Prompt Injection surface) that mandate the execution of local scripts, including some located in external skill paths (e.g., 'leio-sdlc'), and 'preflight.sh' uses a risky pattern of executing any script matching 'scripts/test_*' without validation.
能力标签
能力评估
Purpose & Capability
The skill claims to be a PM/PRD generator and contains code to create and edit PRDs, which is coherent. However, the runtime instructions require calling scripts located in ~/.openclaw/workspace/projects/... and explicitly require using another skill's commit script (~/.openclaw/skills/leio-sdlc/scripts/commit_state.py) and an auditor (spawn_auditor.py). Those external cross-skill calls are not declared in the metadata (no required config paths or env vars) and grant the skill implicit access to other parts of the user's workspace, which is disproportionate to a standalone PM prompt.
Instruction Scope
SKILL.md mandates using exec to run an absolute-path init_prd.py, then to read/edit/write the returned absolute file path. It also mandates immediately invoking spawn_auditor.py after writing and using a remote commit_state.py gateway to baseline the PRD. spawn_auditor.py and the referenced commit_state.py are not included in the package; instructing the agent to run unknown external scripts and to write files in other projects expands the skill's scope and could cause unintended side effects.
Install Mechanism
No install spec (instruction-only packaging) — low install risk. All code is bundled in the skill package (scripts, preflight, deploy), and there are no downloads from external URLs. Minor build/deploy scripts reference files (e.g., agent_driver.py) that aren't present in the manifest, which will cause runtime errors but not necessarily a security issue.
Credentials
The skill declares no required env vars or config paths, yet the runtime instructions assume access to the user's ~/.openclaw workspace, project directories, and another skill's scripts. This is a mismatch: the skill needs filesystem and cross-skill access but does not declare or limit it. That lack of explicit declaration increases the risk of accidental access or privilege overreach.
Persistence & Privilege
The skill is not always-on and allows autonomous invocation (platform default). It instructs the agent to save PRDs and to call a central commit_state.py to baseline files (modifying project state). While not flagged as 'always', calling cross-skill commit utilities grants write-side effects across the workspace and should be reviewed before permitting autonomous runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pm-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/pm-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial v1.0 release for PRD authoring
元数据
常见问题
PM Skill 是什么?
强制指令:扮演产品经理(PM)与架构师角色。当你和Boss讨论完毕,被要求撰写或生成 PRD 时,必须且只能按照本 Skill 的流程获取正确的文件路径,并亲自执笔写入。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 74 次。
如何安装 PM Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pm-skill」即可一键安装,无需额外配置。
PM Skill 是免费的吗?
是的,PM Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
PM Skill 支持哪些平台?
PM Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PM Skill?
由 leio9511(@leio9511)开发并维护,当前版本 v1.0.0。
推荐 Skills