ClawHub

Board Reporting Framework

v1.1.0

Generates structured investor-ready board decks and reports including monthly KPIs, quarterly deep dives, annual reviews, and committee templates.

0· 543·0 current·0 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (board decks, reports) align with the SKILL.md content: templates, benchmarks, and narrative rules. However the SKILL.md claims the agent "will pull your data and structure it" without documenting what data sources, connectors, or permissions are required — an unexplained capability.
!
Instruction Scope
SKILL.md is instruction-only and contains detailed templates and rules, which is fine. But the usage language is open-ended ('it will pull your data') and gives the agent broad discretion without specifying which files, APIs, or endpoints to use, what to read, or what to transmit. Vague instructions like this can lead the agent to access unrelated data or ask for credentials at runtime.
Install Mechanism
No install spec and no code files — lowest-risk distribution model. Nothing will be written to disk by the skill itself during install.
Credentials
The skill declares no required environment variables, credentials, or config paths. There is no immediate evidence it requests unrelated secrets. The main proportionality concern is the undocumented "pull your data" behavior in the usage text (no declared connectors).
Persistence & Privilege
always is false and normal autonomous invocation is allowed. The skill does not request permanent presence, system config changes, or cross-skill config access.
What to consider before installing
This skill appears to contain legitimate board-report templates and guidance, but it is vague about how it obtains "your data." Before installing or invoking it, ask the publisher these questions: (1) Exactly which data sources or connectors does the skill use (files, Google Drive, Slack, internal DBs, BI tools)? (2) Will any data be sent to external endpoints or third-party services? If so, which ones and why? (3) Does the skill store anything (logs, audit trails) and where? (4) Do you need to provide credentials, and if so, can you scope them narrowly (read-only, specific dataset)? If the author cannot clearly answer, treat it as higher risk. Practical steps: test with non-sensitive or synthetic data first, review agent prompts and any permission prompts the agent shows, avoid supplying full financial or personal credentials until you understand the data flow, and verify the AfrexAI links and publisher identity before paying for or enabling any external context packs.

Like a lobster shell, security has layers — review code before you run it.

SaaSvk978g6g7thgjj9pv62z77npc6h81f3p1aivk973jkevakat0jzxrg3eav8jc981mn7kboardvk978g6g7thgjj9pv62z77npc6h81f3p1businessvk973jkevakat0jzxrg3eav8jc981mn7kdeckvk978g6g7thgjj9pv62z77npc6h81f3p1investorvk978g6g7thgjj9pv62z77npc6h81f3p1latestvk973jkevakat0jzxrg3eav8jc981mn7kmetricsvk978g6g7thgjj9pv62z77npc6h81f3p1reportingvk978g6g7thgjj9pv62z77npc6h81f3p1startupvk978g6g7thgjj9pv62z77npc6h81f3p1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments