ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Built at GrowthX

v1.0.6

Submit your project to Built at GrowthX — the community builder showcase for GrowthX members. Requires a GrowthX API key.

0· 337·0 current·0 all-time
by@gxt-admin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, jq, git), and required env var (GROWTHX_API_KEY) are appropriate for a project-submit skill that inspects local manifests and posts to GrowthX's API.
Instruction Scope
SKILL.md explicitly instructs the agent to read a limited set of project files (package.json, pyproject, Cargo.toml, go.mod, pubspec.yaml, README.md) and to run 'git remote -v' to infer a repository URL. This is expected for auto-filling submission fields, but it does mean the agent will read repository metadata and README content — review those files for secrets before submitting.
Install Mechanism
No install steps or external downloads; instruction-only skill (no code written to disk). Lowest-risk install profile.
Credentials
Only requests a single service credential (GROWTHX_API_KEY) which is the declared primary credential and matches the documented authentication header for the API. No unrelated secrets or config paths requested.
Persistence & Privilege
always is false and the skill does not request system-wide changes. It suggests storing the API key in OpenClaw config or as an environment variable (user choice). Default autonomous invocation is allowed (platform default) but the skill's flow requires user confirmation prior to final submission.
Assessment
This skill appears to do what it says: it will read your project's manifest files and README and run 'git remote -v', then POST the collected fields to https://backend.growthx.club using the GROWTHX_API_KEY you provide. Before installing/using: (1) verify you trust GrowthX and that backend.growthx.club is the intended endpoint; (2) inspect your repo for any sensitive data in the listed files (package.json, README, manifest files) because those can be read and included in the submission; (3) prefer setting GROWTHX_API_KEY as an environment variable rather than writing it into ~/.openclaw/openclaw.json if you want fewer persistent copies, and know where to revoke the key if needed; (4) confirm the final submission summary the agent shows before it makes the POST request. Overall the skill is internally consistent and proportional to its purpose.

Like a lobster shell, security has layers — review code before you run it.

builder-showcasevk973yg8ns9q1svs89vre58qgpd81xetggrowthxvk973yg8ns9q1svs89vre58qgpd81xetglatestvk973yg8ns9q1svs89vre58qgpd81xetgproject-submissionvk973yg8ns9q1svs89vre58qgpd81xetg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binscurl, jq, git
EnvGROWTHX_API_KEY
Primary envGROWTHX_API_KEY

SKILL.md

Built at GrowthX — Project Submission

Submit a project to Built at GrowthX, the community builder showcase for GrowthX members.

When to Use

Activate this skill when the user wants to:

  • Push, submit, or share a project to Built at GrowthX
  • Post a project to the GrowthX builder showcase
  • Publish their build on GrowthX

Getting an API Key

If the user hasn't configured their API key yet, direct them to:

  1. Go to Built at GrowthX on the GrowthX platform
  2. Navigate to their profile / API key settings
  3. Click Generate API Key — the raw key is shown once, copy it immediately
  4. Set the key in OpenClaw config: add it under skills.entries.growthx-bx-submit.apiKey in ~/.openclaw/openclaw.json, or set the GROWTHX_API_KEY environment variable

The key is tied to the user's GrowthX membership. If their membership lapses, the key stops working.

API Endpoint

POST https://backend.growthx.club/api/v1/bx/projects/agent

Authentication

Send the API key in the x-api-key header:

x-api-key: <GROWTHX_API_KEY>

Request Body (JSON)

Required fields:

FieldTypeConstraints
namestringMax 100 characters. The project name.
taglinestringMax 200 characters. A short one-liner about the project.

Optional fields:

FieldTypeDefaultConstraints
descriptionstring""Max 2000 characters. Longer project description.
categorystring"SaaS"e.g. SaaS, Fintech, Marketplace, EdTech, HealthTech, AI/ML, Developer Tools, E-commerce
stackstring[][]Tech stack tags, e.g. ["React", "Node.js", "MongoDB"]
urlstringnullProject URL (must be a valid URI)
statusstring"shipped"One of: shipped, idea, prototyping, beta
buildathonstringnullName of a buildathon if this project was built during one

Example Request

curl -X POST "https://backend.growthx.club/api/v1/bx/projects/agent" \
  -H "Content-Type: application/json" \
  -H "x-api-key: $GROWTHX_API_KEY" \
  -d '{
    "name": "TaskFlow",
    "tagline": "AI-powered task management for remote teams",
    "description": "TaskFlow uses AI to automatically prioritize and assign tasks based on team capacity and deadlines.",
    "category": "SaaS",
    "stack": ["React", "Node.js", "OpenAI", "PostgreSQL"],
    "url": "https://taskflow.app",
    "status": "shipped"
  }' | jq .

Success Response (201)

{
  "project": {
    "_id": "...",
    "name": "TaskFlow",
    "tagline": "AI-powered task management for remote teams",
    "status": "shipped",
    "creator": { "name": "...", "avatar_url": "..." },
    "weighted_votes": 0,
    "raw_votes": 0
  }
}

Agent Behavior

When the user asks to submit a project, follow these steps in order:

Step 1 — Detect Projects in the Workspace

Scan standard project files in the current workspace to discover what the user has built. Only read these files:

Project manifest files:

  • package.jsonname, description, keywords, homepage, repository
  • pyproject.toml / setup.py / setup.cfgname, description, urls
  • Cargo.tomlname, description, repository, keywords
  • go.mod — module name
  • pubspec.yamlname, description, homepage

Documentation:

  • README.md — project title (first # heading) and opening paragraph
  • git remote -v — repository URL

Monorepo detection:

For monorepos, check for workspace configs (workspaces in root package.json, pnpm-workspace.yaml, turbo.json, nx.json) or subdirectories with their own manifest files. Each workspace package with its own name/description is a candidate project.

How to infer fields:

FieldHow to Infer
namename field from manifest file, or first heading in README
taglinedescription field from manifest, or first sentence of README
descriptionSummarize from README content and manifest description (1-3 sentences)
stackDependencies and devDependencies from manifest (e.g. react → "React", express → "Express", django → "Django")
urlhomepage field from manifest, or repository URL from git remote
categoryInfer from dependencies and README (e.g. stripe → "Fintech", next → "SaaS", ML libraries → "AI/ML")
statusDefault to "shipped". If README explicitly says WIP/prototype/beta, use that instead.

Step 2 — Present Discovered Projects

Show the user what you found. If multiple projects were detected (e.g. monorepo packages), list them and ask which one to submit:

I found these projects in your workspace:

  1. project-name — short description
  2. other-project — short description

Which one would you like to submit to Built at GrowthX?

If only one project is detected, present its details directly and ask to confirm.

Step 3 — Fill in Missing Details

For the selected project, show what was auto-detected and ask the user to fill in or correct anything:

  • name and tagline are required — if the tagline can't be inferred, ask for it
  • Show the auto-detected stack, category, url, description, and status and let the user adjust
  • Default status to "shipped" unless README or context suggests it's still in progress

Step 4 — Confirm and Submit

Show a final summary of all fields that will be sent:

Submitting to Built at GrowthX:

  • Name: TaskFlow
  • Tagline: AI-powered task management for remote teams
  • Category: SaaS
  • Stack: React, Node.js, OpenAI, PostgreSQL
  • URL: https://taskflow.app
  • Status: shipped

Submit this?

Only after the user confirms, make the API call using curl with the x-api-key header.

Step 5 — Report Result

On success, tell the user their project was submitted and share the project link if available. On failure, explain the error (see below).

Error Handling

StatusMeaningWhat to Tell the User
401Invalid or revoked API key"Your API key is invalid or has been revoked. Please generate a new one from the Built at GrowthX settings."
403Membership not active"Your GrowthX membership is not active. An active membership is required to submit projects."
400Validation error (missing name/tagline, field too long, etc.)Show the specific validation error from the response body.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…