product-analysis
Multi-path parallel product analysis with cross-model test-time compute scaling. Spawns parallel agents (Claude Code agent teams + Codex CLI) to explore product from multiple perspectives, then synthesizes findings into actionable optimization plans. Can invoke competitors-analysis for competitive benchmarking. Use when "product audit", "self-review", "发布前审查", "产品分析", "analyze our product", "UX audit", or "信息架构审计".
93
92%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Security
3 findings — 1 critical severity, 2 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E006: Malicious code pattern detected in skill scripts
What this means
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Why it was flagged
Malicious code pattern detected (high risk: 0.90). This skill explicitly instructs launching an external Codex CLI with "full-auto" and "dangerously-bypass-approvals-and-sandbox" flags, running parallel background agents with full filesystem access and silent detection/operation, which enables covert exfiltration of repo files, environment variables, credentials and autonomous remote code execution — indicating a high-risk, intentionally abusive capability (no explicit obfuscated payloads or reverse-shells are included, but the orchestration strongly facilitates them).
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). The skill's Phase 2 "compare" workflow explicitly invokes the Skill tool with "/competitors-analysis {competitor-name} {competitor-url}" and states that competitors-analysis performs repository cloning and evidence-based code analysis, so the agent will fetch and interpret untrusted external repositories/URLs that can influence its findings and actions.
W013: Attempt to modify system services in skill instructions
What this means
The skill prompts the agent to compromise the security or integrity of the user’s machine by modifying system-level services or configurations, such as obtaining elevated privileges, altering startup scripts, or changing system-wide settings.
Why it was flagged
Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs running Codex CLI with autonomous/full-auto modes and even a "--dangerously-bypass-approvals-and-sandbox" option, and notes "full filesystem access" and repository cloning — i.e., it encourages bypassing sandbox/approval protections and gives agents ability to modify the filesystem, so it poses a high risk of compromising machine state.
- Repository
- fernandezbaptiste/claude-code-skills
- Commit
4f0eae8
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.