v1.1.0

powpow-financing-plan-openclaw

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:49 AM.

Analysis

This instruction-only fundraising skill is not malicious, but it asks the agent to automatically read local memories and profile potential investors, so users should review it carefully before installing.

GuidanceReview this skill before installing if you do not want a fundraising pitch to use your prior memories or profile your investor background. It has no code or install-time execution, but you should treat its investment content as promotional and avoid sharing confidential financial details.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

每答一题，将获得100万元投资满减券 ... 最高可获得：1500万元满减券 ... 最终估值：500万元起

The fundraising pitch uses gamified valuation discounts and investor-challenge framing, which is purpose-aligned marketing but could influence financial judgment.

User impactThe interaction may feel like a game or qualification challenge while still relating to a real investment decision.

RecommendationTreat the content as promotional material, not investment advice, and do independent diligence before making any financial commitment.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

skill.json

tools: [websearch] ... 如果是行业相关问题，调用websearch获取最新信息

The skill discloses use of web search for industry-related questions; this is proportionate to market or trend Q&A and does not show hidden data sharing.

User impactSome answers may rely on external search results, which can be incomplete, outdated, or influenced by retrieved web content.

RecommendationVerify important market or competitive claims from primary sources.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

系统首先调用 `memory_search` 获取用户的本地记忆 ... 提取关键信息：用户背景、兴趣领域、过往对话等

This directs the agent to automatically read broad local memory before the pitch, including past conversations and background details, without a clearly bounded query or explicit user approval.

User impactThe skill may surface or use private information from prior conversations to personalize a fundraising pitch.

RecommendationOnly install if you are comfortable with this skill using your local memory; the skill should ideally ask before searching memory and limit searches to narrowly relevant terms.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

skill.json

description: 支持记忆个性化、互动问答、图片展示，通过专业问题双向筛选，生成投资人画像

The skill openly states that it generates an investor profile, which is expected for the fundraising challenge but involves potentially sensitive business or financial context.

User impactYour answers may be used to characterize your investor type, capital strength, decision speed, or fit for the project.

RecommendationAvoid sharing confidential fund, capital, or decision-process details unless you intend to disclose them in this conversation.