Built at GrowthX
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears coherent with its stated purpose: it gathers project details, asks the user to review them, and submits them to GrowthX using a required API key.
Before installing, confirm that the GrowthX endpoint and publisher are trustworthy, provide only a GrowthX-specific API key, and review all generated project details before approving the submission.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Submitting may publish or share the project details under the user's GrowthX account.
The skill performs a write action to an external API. This is purpose-aligned for submitting a project, and the instructions also say to show the user a final summary of fields that will be sent.
POST https://backend.growthx.club/api/v1/bx/projects/agent
Review the final submission details carefully before approving, especially the project URL, description, and status.
Anyone or any agent with access to the key may be able to submit projects as the GrowthX member, depending on the key's permissions.
The skill requires a GrowthX API key and uses it to authenticate submissions. This is expected for the GrowthX integration and no unrelated credential use is shown.
Send the API key in the `x-api-key` header ... set the `GROWTHX_API_KEY` environment variable
Use a GrowthX-specific API key, keep it out of shared logs or prompts, and revoke or rotate it if it is exposed.
Private project metadata could be included in the draft submission if it appears in the allowed project files.
The skill reads bounded local project metadata and summarizes it into submission fields. This is purpose-aligned, but it can include private repository URLs or README content if present.
Scan standard project files in the current workspace ... Only read these files ... `README.md` ... `git remote -v`
Check the generated summary before submission and remove private repository links, internal names, or sensitive README details.
The user has less external information to verify who maintains the skill or whether it is officially associated with GrowthX.
The registry metadata does not provide a source repository or homepage, which limits provenance verification. No code or install-time execution is present in the supplied artifacts.
Source: unknown; Homepage: none
Verify the GrowthX API endpoint and publisher before providing an API key.