Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Company Builder
v1.0.0Provides a complete AI-run company setup playbook, including memory system, safety rails, payment integration, and multi-platform launch in 72 hours.
⭐ 0· 30·0 current·0 all-time
byzinou@casperzinou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md: it intends to build company artifacts, memory files, safety rails, payment setup, and platform launches. However, it lists other skills it will 'install' without declaring their requirements or how those installs happen, and it does not declare any environment variables even though payment integrations (Stripe/NowPayments) require API keys. This mismatch is explainable (human involvement is mentioned) but worth flagging.
Instruction Scope
Instructions are high-level and grant the agent broad, open-ended authority ('Run the AI Company Builder setup' → create files, configure payment infrastructure, submit to 21 platforms). The document does not constrain what account credentials the agent may request, where it may send data, or what external endpoints will be used for launches. That vagueness increases the risk the agent will gather/store/ transmit sensitive data or take irreversible external actions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That lowers immediate code-execution risk. The only install-like behavior is the SKILL.md claim that it 'installs' other skills, but no mechanism is provided here.
Credentials
The skill declares no required env vars, yet it promises a '.env template' and to configure payments (which need API keys). It therefore will likely prompt for/store sensitive keys at runtime. The lack of upfront declaration of these secrets and absence of information about secure storage is a proportionality concern.
Persistence & Privilege
always:false (good). The skill allows normal autonomous invocation (platform default). Because the instructions are broad and could trigger external account actions, consider the combination of autonomous invocation + broad instructions to be a risk if allowed without restrictions, but the skill does not request system-wide or other-skills' config changes explicitly.
What to consider before installing
This skill is coherent with its stated aim but is vague and potentially powerful. Before installing: (1) require the agent to run in a sandbox or with file-system write limits; (2) do not grant it automatic network/credential access — perform payment account creation and paste API keys yourself into a secure store rather than letting the agent gather them; (3) vet any sub-skills it claims to install (ai-memory-system, nowpayments-integration, etc.) and inspect their requirements and source repos; (4) restrict or review any autonomous run that will submit to external platforms; and (5) verify the publisher (TalonForge) and linked GitHub/store before trusting automation to create accounts or publish content.Like a lobster shell, security has layers — review code before you run it.
latestvk97atyxgtcb8er3p0dbzd4z5vx84tjjk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.