v1.0.0

Revenue-First Solofounder Studio

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:32 AM.

Analysis

This is a coherent revenue-studio skill, but it deserves review because it launches many autonomous agents and its promised governance and memory safeguards are not clearly bounded in the artifacts.

GuidanceInstall only if you intend to supervise multi-agent startup workflows. Run it in a separate workspace, restrict available tools and external accounts, require human approval for agent batches, outreach, publishing, landing pages, paid actions, or account-changing steps, and periodically review or clear the revenue-studio memory/log outputs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/spawn-studio.sh

openclaw spawn "Signal Mesh: Collect market signals from X, Reddit, RSS feeds" & ... openclaw spawn "Revenue Lab: Create first offer" &

The helper starts multiple OpenClaw agents in parallel and gives them broad business and research tasks; the artifacts do not show per-agent tool boundaries, stop conditions, or human approval before external-facing actions.

User impactA user could unintentionally start a batch of agents that consume resources, use any available tools or accounts, and move business workflows forward faster than the user can review.

RecommendationRun one stage at a time or add explicit per-stage approvals; restrict spawned agents’ tools, accounts, spending, posting, sending, and file-write permissions.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

- **Stage-gated** - 7 stages from Observe to Scale/Kill, no skipping
- **Governance** - Hard rules, approval gates, audit trails

These safety assurances are material, but the provided files do not include concrete gate, approval, or audit implementations, and the helper script directly spawns later layers. Users may over-trust protections that are not evidenced in the artifacts.

User impactA user may believe the studio will enforce strict approvals, while the included automation can begin multiple workstreams without showing those controls.

RecommendationTreat the governance language as a plan, not an enforced safety control, unless the skill is updated with explicit gate definitions, approval prompts, and audit-log behavior.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

1. **Signal Mesh** - Collect market signals from X, Reddit, RSS, changelogs ... - **Memory continuity** - Write-ahead logging for restart resilience

The skill plans to ingest untrusted external market content and persist it for later use, so stored context can influence future decisions if it becomes stale, biased, or manipulated.

User impactMarket posts, competitor data, or other external signals could be carried into later product decisions and launches as persistent context.

RecommendationReview stored studio outputs, label source trust, expire old signals, and clear or reset memory between unrelated projects.