Skillv2.1.0

ClawScan security

Pitch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 1:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are generally consistent with pitch coaching and only write data locally, but the SKILL.md overclaims multiple modules and scripts that are not present and has small path/documentation mismatches — this inconsistency warrants caution.
Guidance: This skill appears to do what it says (local pitch coaching) and does not ask for credentials or network access, but the documentation claims several scripts and reference files that are not actually included. Before installing or using it: 1) Review the bundled scripts to confirm they meet your needs and that you are comfortable with files being written to ~/.openclaw/workspace/memory/pitch; 2) Expect some SKILL.md features (coach_delivery, deck generation, analysis, extra reference docs) to be missing — the agent may error if instructed to call them; 3) If you need the missing capabilities, request an updated package from the publisher or inspect/implement those scripts yourself; 4) Treat the stored JSON files as potentially sensitive (they contain pitch content) and keep backups or remove them if you no longer want that data saved. Overall coherence is fine but the documentation mismatch is a red flag for sloppy packaging — exercise caution and validate in a safe environment.

Review Dimensions

Purpose & Capability: noteThe name/description (pitch coaching) matches the included scripts (foundation builder, elevator pitch generator, objection prep, follow-up drafts). No credentials or network access are requested. However the SKILL.md and Module Reference claim additional scripts and reference files (coach_delivery.py, save_meeting_notes.py, generate_deck_outline.py, analyze_pitch.py and multiple reference markdowns) that are not present in the bundle; this is an overclaiming/documentation mismatch.
Instruction Scope: noteRuntime instructions are explicit about using local scripts and keeping data local. The scripts only read/write JSON under a local path (~/.openclaw/workspace/memory/pitch) and print outputs; they do not call external services, send email, or access unrelated system data. The mismatch between the SKILL.md examples (which reference missing scripts) and available scripts could cause the agent to attempt to run commands that don't exist, producing errors or unexpected behavior.
Install Mechanism: okThere is no install spec (instruction-only with included scripts). Nothing is downloaded or written beyond the scripts bundled in the skill, which lowers installation risk.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths outside a single local workspace directory. All data reads/writes are to a local directory under the user's home; these permissions are proportionate to the stated purpose.
Persistence & Privilege: okThe skill does persist state (writes JSON files) under ~/.openclaw/workspace/memory/pitch, which is reasonable for a coaching tool. always:false (normal). It does not request system-wide privileges or modify other skills' configs.