AI C-Suite

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to be a local Python decision-support workflow with no credential or network behavior, but it handles local business context and writes decision files.

This looks safe to use as a local decision-support tool if you are comfortable running the included Python scripts. Run it from the skill directory, review generated logs before sharing, and make sure any real company config or logs are not accidentally committed or published.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The agent can run local Python commands and create or overwrite local decision files; if run from the wrong directory, the scan step may traverse more files than intended.

Why it was flagged

The skill grants local shell/file tool use and instructs running local Python scripts that scan files and write an output file. This matches the script-backed purpose, but the user should keep execution scoped.

Skill content

allowed-tools: Read, Write, Edit, Bash, Glob, Grep, Task ... python3 scripts/security_scan.py . ... --output logs/latest-decision.md

Recommendation

Run the workflow from the skill directory, keep outputs under logs/, and avoid using broader tool authority unless explicitly needed.

Low

#ASI06: Memory and Context Poisoning

What this means

Company strategy, financial context, and constraints may remain in local config or log files after use.

Why it was flagged

The skill intentionally processes business context and persists the generated strategic decision to a local markdown file.

Skill content

Load company context from: config/company.yaml ... ARR or MRR ... runway (months) ... team size ... constraints list ... --output logs/latest-decision.md

Recommendation

Use sanitized inputs when appropriate, protect generated logs, and delete or exclude sensitive local files when no longer needed.

Low

#ASI08: Cascading Failures

What this means

A user who follows the publishing flow without checking ignored files could accidentally commit and push a real local company config.

Why it was flagged

The README separately suggests creating a local config with real values and later shows a broad Git add/push publishing flow. This is user-directed documentation, not automatic behavior, but it could propagate local business data if not reviewed.

Skill content

cp config/company.yaml config/company.local.yaml ... Edit config/company.local.yaml with your real values. ... git add ai-csuite ... git push origin main

Recommendation

Before running Git publishing commands, confirm config/company.local.yaml and generated logs are excluded or intentionally safe to publish.