Back to skill

Security audit

founder-coach

Security checks across malware telemetry and agentic risk

Overview

This is a coherent founder-coaching skill, but it needs Review because it can read private PhoenixClaw journals and persist sensitive coaching observations without clear opt-in or deletion controls.

Install only if you are comfortable with a local coach reading PhoenixClaw journals/profile data and saving founder profile and weekly report files. Before using it, confirm whether PhoenixClaw integration and cron reports are enabled, which files it may read or write, and how you can review, disable, or delete stored coaching observations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill states PhoenixClaw integration is one-way/read-only, but then says weekly reports may add a 'Coaching Insights' section to PhoenixClaw daily journals. That contradiction can mislead reviewers and users about actual data flows, causing unexpected writes into another system that may contain sensitive personal data. In a coaching skill that reads journals and memory, inaccurate data-flow documentation materially increases privacy and integrity risk.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The template explicitly promises that the AI will never modify the User Notes section, but the section is still represented as a normal writable placeholder with no technical control enforcing immutability. In an agent workflow, this can mislead users into placing sensitive reflections or instructions there under a false guarantee, and the agent may later overwrite, summarize, or act on that content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The onboarding flow instructs the skill to write sensitive founder-provided data into a hard-coded external workspace path (`~/PhoenixClaw/Startup/founder-profile.md`) that is not necessary for basic coaching. This creates an unnecessary data propagation channel into another knowledge base, increasing privacy risk and the chance of unintended disclosure or cross-context contamination.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documentation expands the skill's role from mindset coaching into maintaining an external Obsidian/PhoenixClaw knowledge base, which is a material scope increase. That broadens data handling beyond the declared purpose and can cause sensitive startup information to be copied into unrelated files or systems without meaningful consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill introduces PhoenixClaw journal integration even though the declared purpose is founder coaching, creating an unnecessary cross-tool access path. Unjustified integrations expand the attack surface and may expose sensitive coaching or business data to another local tool without a clear user need or consent boundary.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The onboarding flow instructs the skill to detect whether PhoenixClaw is installed and then coordinate with its journals, which is a capability expansion beyond coaching. Detecting and interacting with another tool's local data can leak sensitive founder reflections, create covert data flows, and violates least-privilege expectations for a mindset coach.

Description-Behavior Mismatch

Low
Confidence
78% confidence
Finding
The documentation expands the skill into a persistent local configuration manager by storing data in the user's home directory. While persistence itself can be legitimate, it increases risk by creating local artifacts containing potentially sensitive startup metadata and by normalizing file-system write access for a coaching skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs the skill to read data from another skill's journal path and to use recent conversation logs, which expands data access beyond the founder-coach skill's narrowly described purpose. This creates a privacy and data-minimization risk because sensitive cross-skill notes and broader chat history could be ingested into reports without a clear need-to-know boundary or explicit user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly says it may read PhoenixClaw journal_path, daily journals, and memory, but it does not present a clear privacy warning, consent boundary, or minimization rule. Because journals and memory are likely to contain highly sensitive personal or business information, silent access creates a real confidentiality risk and can exceed user expectations for a founder-coaching tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding instructions direct the agent to create directories and files and write user-supplied content, but they do not require any explicit warning or consent before those filesystem changes occur. Silent persistence of potentially sensitive founder and company data is dangerous because users may reasonably expect a conversational coach, not a tool that modifies local storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The integration guide instructs Founder Coach to treat PhoenixClaw as a primary context source and read daily journals, profile data, and growth patterns, but it does not require an explicit user-facing disclosure or consent step before accessing this sensitive personal data. Because the skill is a coaching assistant rather than a journaling tool, silent access to reflections, mood, energy, and personal patterns creates a meaningful privacy risk and can expose highly sensitive information beyond what users expect in the immediate interaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding flow directs the skill to create and populate a config file in the user's home directory without an explicit warning that personal and business-related information will be stored locally. This undermines informed consent and could surprise users with persistent storage of sensitive founder context such as company stage, team size, and PMF self-assessment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
PhoenixClaw integration is presented as beneficial without clearly warning that coaching data may be shared with or inferred from another tool. This can lead to unauthorized or unexpected disclosure of sensitive journals, founder reflections, and business planning information.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrases are broad enough that ordinary coaching requests could be interpreted as consent to start tracking a challenge, which may cause the agent to take actions the user did not clearly authorize. In a coaching skill that observes conversations and records evidence, ambiguous activation can lead to unwanted state changes, over-collection of behavioral data, or proactive nudging outside the user's expectations.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The manual trigger phrases are generic enough that ordinary conversation such as asking 'how was my week' could unintentionally invoke report generation. When combined with the broad data-source instructions, this increases the chance of unexpected aggregation of personal journals and session history without a deliberate, informed action by the user.

Hidden Instructions

High
Category
Prompt Injection
Content
{{CHALLENGES_LOG}}

## 📝 User Notes
<!-- 💡 This section is SACRED. AI will never modify this. Use it for your personal reflections, hidden goals, or explicit instructions to the coach. -->
{{USER_NOTES}}

## 🤖 AI Observations & Insights
Confidence
89% confidence
Finding
<!-- 💡 This section is SACRED. AI will never modify this. Use it for your personal reflections, hidden goals, or explicit instructions to the coach. -->

Session Persistence

Medium
Category
Rogue Agent
Content
1. **Onboarding** (First Use):
   - Detect if `~/.founder-coach/config.yaml` exists
   - If not, initiate 5-7 question onboarding flow
   - Create `~/PhoenixClaw/Startup/founder-profile.md`
   - Explain coaching approach and expectations

2. **Real-time Coaching** (Ongoing Conversations):
Confidence
91% confidence
Finding
Create `~/PhoenixClaw/Startup/founder-profile.md` - Explain coaching approach and expectations 2. **Real-time Coaching** (Ongoing Conversations): - Listen for low-level thinking patterns (excus

Session Persistence

Medium
Category
Rogue Agent
Content
3.  **Inquiry**: Ask a series of 5-7 core questions to understand the startup's context and the founder's current state.
4.  **Confirmation**: Summarize the answers and confirm the details with the user to ensure accuracy.
5.  **Initialization**:
    *   Create the `~/.founder-coach/` directory.
    *   Generate `config.yaml` with the confirmed settings.
    *   Initialize the `founder-profile.md` at `~/PhoenixClaw/Startup/founder-profile.md` with the initial discovery data.
6.  **Transition**: Smoothly transition into the first coaching session, typically by addressing the "biggest challenge" identified during inquiry.
Confidence
92% confidence
Finding
Create the `~/.founder-coach/` directory. * Generate `config.yaml` with the confirmed settings. * Initialize the `founder-profile.md` at `~/PhoenixClaw/Startup/founder-profile.md` with the

Session Persistence

Medium
Category
Rogue Agent
Content
*   "How many people are on your team?"
    *   "On a scale of 1-10, how would you rate your current Product-Market Fit?"
4.  **Initialization:**
    *   Create the `~/.founder-coach/` directory if missing.
    *   Generate the `config.yaml` file with the collected answers.
5.  **Integration Check:** If PhoenixClaw is installed, explain how integration will help track progress.
6.  **Transition:** Proceed immediately to the first coaching check-in.
Confidence
84% confidence
Finding
Create the `~/.founder-coach

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.