ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Validate

v2.1.1

Score startup idea through S.E.E.D. niche check + STREAM 6-layer analysis + Devil's Advocate inversion, auto-pick stack, and generate PRD with acceptance cri...

0· 615·0 current·0 all-time
byRust@fortunto2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (idea validation, PRD generation, STREAM/S.E.E.D./Manifest checks) align with the skill's requests and capabilities: it uses local .md searches, bundled reference documents, web searches, and optional MCP KB/project/web search tools. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md confines searches to markdown/docs and uses web searches and bundled references for analysis, which is appropriate. Caveat: allowed-tools include Read/Grep/Bash/Write/Edit — the instructions do ask the agent to read and potentially write project files (search .md, look for research.md, generate PRD). This is coherent for a validation/PRD skill but means it will access and may modify repository docs; confirm you want that behavior in the current workspace before running.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk persistence and arbitrary code execution risk.
Credentials
No environment variables, credentials, or config paths are requested. The skill's use of MCP-specific tools is optional and appropriate; nothing asks for unrelated secrets or cloud credentials.
Persistence & Privilege
always is false and the skill is user-invocable. It may write PRD files (Write/Edit are allowed) but does not request system-wide or other-skills' configuration changes. Autonomous invocation is allowed by platform default but not granted elevated 'always' presence.
Assessment
This skill appears coherent and reasonably low-risk, but review these practical considerations before installing or running: - It will read local markdown/docs (manifest, research.md, etc.) and may write generated PRDs to the project. Run it in a workspace that doesn't contain sensitive or private documents you don't want scanned or modified. - The skill performs web searches and (if available) will use MCP KB/project/web search tools; it does not send data to unknown external endpoints beyond normal web search. Still review any output before sharing externally. - Because Read/Grep/Bash/Write/Edit are allowed, the agent could modify files — back up important repo content or run in an isolated copy if you want to prevent accidental changes. - No credentials or installs are requested, so there's no secret-exfiltration signal in the manifest. If you later add MCP tools that provide access to additional data sources, consider whether those tools should be restricted. If you want extra caution: try the skill on a small, non-sensitive idea first and inspect generated files and logs to confirm behavior matches expectations.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751ffyswdt40hm2hn64zz2w981jgej

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis

Comments