ClawHub
Back to skill

Security audit

Revenue-First Solofounder Studio

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed revenue-research workflow that can launch multiple OpenClaw agents and gather public market signals, but it does not show hidden installation, credential theft, destructive behavior, or automatic execution on install.

Install only if you want an agent-assisted revenue research workflow. Run the helper script intentionally, expect multiple agents and possible network/tool quota use, and review generated theses, landing pages, offers, and outreach before publishing or contacting real customers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is extremely broad and action-oriented, presenting a high-autonomy business-development system without clear trigger boundaries, user-consent requirements, or operational limits. In an agent environment, vague invocation scope can cause the skill to be selected for loosely related prompts and initiate multi-step external actions or planning beyond what the user explicitly intended.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly describes collecting market signals from external platforms like X, Reddit, RSS, and changelogs, but provides no notice about data handling, platform terms, privacy considerations, or consent boundaries. In context, this is more dangerous because the skill is framed as massive parallel orchestration, which can amplify unauthorized scraping, collection of personal data, or high-volume external interactions without operator awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal