Skillv2.0.0

ClawScan security

Solopreneur · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 6:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims a full solo-business suite (pipeline, invoicing, reviews) but the package only contains a read-only dashboard script and references many missing scripts and docs — the implementation is incomplete and inconsistent with its claims.
Guidance: This package is incomplete and therefore untrustworthy for the features it advertises. Before installation or use: 1) Ask the publisher for the missing scripts and the referenced 'references/' docs so you can review their code. 2) Inspect any missing scripts for network calls, subprocess execution, or credential use (none should be required for local-only storage). 3) Confirm exactly where data will be stored and that it is indeed local (the script uses ~/.openclaw/workspace/memory/solopreneur). 4) Run the skill in an isolated environment if you need to test it. 5) If you expect invoicing or payment features, do not supply any payment credentials—this skill explicitly says it should never process payments, but that functionality is also not present in the package. If the author cannot provide the missing files or a satisfactory explanation, treat the skill as incomplete and avoid relying on it for critical business tasks.

Review Dimensions

Purpose & Capability: concernThe description promises dashboard, pipeline tracking, invoicing, prioritization, and weekly reviews. The repository only includes scripts/dashboard.py. SKILL.md references many other scripts (add_prospect.py, draft_invoice.py, prioritize.py, weekly_review.py, etc.) and reference files that are not present. The single included file implements only a read-only dashboard view; it cannot fulfill invoicing, pipeline mutation, or review workflows as claimed.
Instruction Scope: concernRuntime instructions instruct the agent to run multiple scripts and store data under memory/solopreneur/. The included dashboard.py reads from ~/.openclaw/workspace/memory/solopreneur/dashboard.json and performs only local reads/prints (no network or credential access). However most runtime actions (adding prospects, drafting invoices, prioritizing) refer to scripts that are missing, so the SKILL.md's operational instructions are not implementable from the provided files.
Install Mechanism: okNo install spec is provided and this is predominantly instruction-only with a single small Python script. That reduces install-time risk: nothing is downloaded or extracted by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. The included script does not access environment variables or network resources. Requested permissions are proportionate to the stated local-data behavior.
Persistence & Privilege: okalways is false and disable-model-invocation is not set — normal defaults. The skill does not request persistent platform-level privileges and the provided code does not change other skills or global settings.