ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Biotech Pitch Deck Narrative

v0.1.0

Use when creating biotech pitch decks, translating scientific data for investors, preparing fundraising presentations, or developing investor Q&A. Transforms...

0· 113·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described capability (translating scientific data into investor narratives) aligns with the included Python code which generates narrative components. However, SKILL.md's example code imports a non-existent module/class (scripts.narrative_engine / BiotechNarrativeEngine) while the repo contains scripts/main.py defining PitchDeckNarrative. This mismatch suggests the docs and code are out of sync.
Instruction Scope
SKILL.md is mostly focused on narrative generation and usage examples. It declares allowed-tools: "Read Write Bash Edit", which grants file and shell access; yet the skill declares no required env vars or config paths. Examples show calling a CLI on pitch.pptx, but the shipped main.py does not implement parsing of such files. The combination of broad allowed-tools and mismatch between examples and code means the agent could be given permission to read/write files even though the SKILL.md examples don't reliably show how that data is used.
Install Mechanism
No install spec; the skill is instruction-plus-source only. That is lower risk than arbitrary downloads. requirements.txt only lists small standard packages (dataclasses, enum). There is no installer that fetches remote code.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate for a narrative-generation utility. There are no declared secrets or unrelated credential requests.
Persistence & Privilege
always:false (no forced permanent inclusion) and normal autonomous invocation settings. Nothing requests elevated platform privileges or modifications to other skills' configuration.
What to consider before installing
Proceed cautiously. The skill appears to do what it claims (generate pitch narratives), but there are inconsistencies and a couple of practical risks: (1) SKILL.md examples reference a different module/class than the included scripts/main.py — verify which implementation will actually run; (2) the allowed-tools list includes Read/Write/Bash/Edit, which would let the agent access local files/shell even though no env credentials are requested. Before installing, (a) verify the code you will run (open and review scripts/main.py and any other code paths), (b) run the skill in an isolated sandbox with non-sensitive sample data to confirm behavior, (c) restrict or remove broad tool permissions if your environment allows it, and (d) avoid feeding real patient-level or regulatory documents until you've confirmed the skill's handling of sensitive content. If provenance matters, request the publisher/source (currently unknown) or choose a skill with clear source and review history.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bwy9jsxppssrt2ehq46mky1834g8h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments