Growth Loop Orchestrator
Security checks across malware telemetry and agentic risk
Overview
This appears to be a benign local growth-planning skill, with disclosed but review-worthy recommendations around public sharing/indexing and minor packaging gaps.
This skill looks safe to use as a local planning/report generator. Before installing or using it, be aware that some generated recommendations favor public-by-default sharing and search indexing, so require explicit privacy review before implementing those ideas. Also note that several documented helper scripts are missing from the package, and generated report/metrics files may remain in the local data directory.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a generated plan is implemented directly, private or sensitive outputs could become public or search-indexed by default.
The content-loop template recommends public-by-default outputs and search indexing. This is aligned with growth-loop design, but if implemented without privacy review it could cause user-created content to propagate publicly.
- **Default**: Public (opt-out) - **Indexing**: Automatic SEO optimization ... - [ ] Make outputs public by default - [ ] Submit to search engines
Require explicit user opt-in, content classification, and approval before making outputs public or submitting them for indexing.
Users may expect commands to exist or later obtain unreviewed helper files outside this artifact set.
SKILL.md documents helper scripts that are not included in the supplied file manifest/source. This is a packaging/provenance gap, not evidence of malicious behavior.
./scripts/optimize-loop.sh --loop-id <id> ... ./scripts/generate-report.sh --type loops|funnel|portfolio ... ./scripts/simulate-loop.sh --design <file> ...
Use only the included reviewed scripts unless the missing helpers are supplied and reviewed; update documentation or the manifest to match the package.
Growth metrics or report outputs may persist locally after the task is complete.
The metrics workflow writes persistent local dashboard data. This is expected for reporting, but users should be aware that generated metrics remain on disk.
DATA_DIR="${GROWTH_DATA_DIR:-$SKILL_DIR/data}"
METRICS_FILE="$DATA_DIR/METRICS-$(date +%Y%m%d).json"
cat > "$METRICS_FILE" << EOFAvoid putting sensitive raw user behavior data into generated reports unless needed, and manage retention or cleanup of the data directory.