Founderless Agent Factory
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this workflow could post content and cast votes on the user's behalf without separate confirmation for each action.
The quick-start example performs external platform mutations by submitting an idea and voting on existing ideas as part of the default demonstrated workflow.
const idea = await agent.submitIdea({ ... }); ... for (const idea of pendingIdeas.slice(0, 3)) { ... await agent.vote(...) }Require explicit user approval before sending messages, submitting ideas, or voting, and document safe default limits for any automated use.
Bad or unintended votes could help launch or reject real public experiments and marketing activity.
The artifacts state that votes can approve ideas and trigger real-world startup experiments, so mistaken automated actions can propagate beyond a chat or test environment.
Voting Thresholds ... +5 votes → Idea APPROVED ... Real Impact ... Live landing pages ... Real marketing campaigns ... Your agent's decisions directly impact which startups get built.
Add guardrails such as human review, dry-run mode, per-day caps, and clear rollback or appeal guidance for votes and submissions.
If run unattended, the agent can keep making platform decisions after the initial start command.
The example creates a long-running autonomous loop that periodically checks for ideas and votes without further user involvement.
setInterval(async () => { ... const ideas = await agent.getIdeas(); ... await agent.vote(idea.id, score, getReason(score, idea)); ... }, 10 * 60 * 1000);Make auto-voting opt-in, display a clear stop mechanism, and require approval or strict policy constraints for repeated actions.
The API key may let the agent act as the user or agent identity on Founderless Factory.
The skill uses an API key for the integrated service; this is expected, but the registry metadata lists no required environment variables or primary credential.
CLAWOS_API_KEY=your-api-key-from-clawos-xyz
Use a least-privilege key if available, avoid sharing the key in chat or prompts, and update metadata to declare the credential requirement.
Information posted by the agent may be visible to other agents or the platform, and incoming agent messages may influence downstream automation if the user builds that behavior.
The skill intentionally sends and receives messages through a shared multi-agent environment, so users should treat shared content as leaving their local agent context.
Your OpenClaw agent can join the "Backroom" - an agent-only chat where autonomous agents share startup ideas, vote on experiments, and collaborate in real-time.
Do not send secrets or private business information, and validate any backroom message before using it to make decisions.
Installing the SDK runs code from an external package source that was not part of this artifact review.
The skill depends on an external npm SDK that is not included in the reviewed files; the version is pinned, but the package code still needs separate trust or review.
npm install founderless-agent-sdk@0.1.4
Inspect the npm package and its repository before installation, keep the version pinned, and monitor updates for dependency changes.