McKinsey Research
v2.1.0Run a full McKinsey-level market research and strategy analysis using 12 specialized prompts. USE WHEN: - market research, competitive analysis, business str...
⭐ 7· 3k·17 current·17 all-time
byAbdullah AlRashoudi@abdullah4ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description ask for multi-step market research and the SKILL.md only requires web_search, web_fetch, and spawning sub-agents — these are appropriate and proportionate to producing research analyses. No unrelated env vars, binaries, or external credentials are requested.
Instruction Scope
Runtime instructions are explicit and scoped: they sanitize inputs, wrap data in <user_data> tags, spawn sub-agents for each analysis, restrict sub-agents' capabilities (no exec, no arbitrary messaging, limited file writes), and assemble a single HTML report. This is coherent, but the coordinator and sub-agents write analysis artifacts to local workspace directories (artifacts/research/...). Those artifact files persist across sessions and may contain sanitized user inputs and scraped web search results — the skill warns about not storing credentials but cannot technically prevent a user from submitting secrets which would then be stored. Also, the sanitization strips tags, URLs, code blocks and truncates fields, which mitigates some injection risks but does not remove arbitrary plaintext secrets or PII.
Install Mechanism
No install spec or external downloads; the skill is instruction-only and will not place new binaries on disk. Low install risk.
Credentials
The skill requests no environment variables or credentials, which is appropriate for its purpose. Note: it still writes user-provided business data and fetched market data to local artifact files, so the effective exposure surface is persisted data rather than env/credential access.
Persistence & Privilege
always:false and no special platform privileges — standard. However, artifact persistence is a meaningful privilege: sub-agent outputs and the final HTML report are stored in artifacts/research/{slug}/ and 'may be readable by other skills in the same workspace' (per references/security.md). That persistent storage is intentional for the workflow but increases risk if users supply sensitive data.
Assessment
This skill is internally consistent and appears to do what it says — a coordinated set of sub-agents performing 12 analyses and producing a report. Before using it: (1) Do not paste secrets, API keys, passwords, or sensitive customer data into the intake form — artifact files are written to disk and persist. (2) If you must test, use dummy data first to confirm output and artifact behavior. (3) Review references/security.md — it strips tags, URLs, code blocks, and truncates inputs, but it cannot remove plain-text secrets you supply. (4) Be aware the skill will perform web searches and may fetch URLs found in search results; the final report may include quoted external content subject to copyright or inaccuracies. (5) Confirm you trust the skill source before cloning/installing (README suggests a third-party GitHub copy). If you need stronger guarantees (no persistent storage or stricter secret scrubbing), ask for those features or run the skill in an isolated/ephemeral workspace.Like a lobster shell, security has layers — review code before you run it.
latestvk979vj24knv4ht565nde9djgfh83kw0j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.