Validate
PassAudited by ClawScan on May 10, 2026.
Overview
The provided artifacts show an instruction-only startup validation workflow with disclosed local search, web search, and file-writing capabilities, but no evidence of hidden code, credential use, persistence, or exfiltration.
This skill appears safe for its stated purpose, but use it in the correct project folder, review any proposed file edits or shell commands, and avoid including confidential idea details in web searches if that would be sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent may have the ability to run shell commands or edit files while performing validation.
The skill declares broad local tools, including shell execution and file modification. These are disclosed; Write/Edit align with PRD generation, but Bash is not clearly bounded in the visible workflow.
allowed-tools: Read, Grep, Bash, Glob, Write, Edit, AskUserQuestion, WebSearch, mcp__solograph__kb_search...
Use it in the intended project workspace, review any proposed Bash command or file edit, and prefer explicit approval before changes are written.
Users have less ability to independently verify the origin or maintenance history of the prompt instructions.
The skill has limited external provenance, but it also has no install commands or executable code in the supplied artifacts.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the prompt text before relying on it, especially because the supplied SKILL.md excerpt is truncated in this review.
Private project or knowledge-base content related to the idea may be read and summarized during validation.
The skill intentionally retrieves and summarizes local/project knowledge to validate ideas. This is purpose-aligned, but it can bring private notes into the agent context.
Grep for idea keywords in `.md` files across the project and knowledge base ... Summarize any related documents found
Run it only in workspaces whose markdown files are appropriate for the agent to read, and avoid storing secrets in project notes.
Confidential startup idea terms, categories, or competitor names may be sent to external search infrastructure.
The skill uses WebSearch and MCP web search to investigate competitors and failed startups. This is disclosed and purpose-aligned, but search terms may reveal confidential idea details to a search provider.
WebSearch: `"<idea category>" startup failed OR pivoted OR shut down`
Avoid using sensitive unreleased product names or confidential details in search queries unless you are comfortable sharing them with the search provider.