ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CreezFinance

Assistant for VCs/investors asking about the Creez project. Answers factual questions using a knowledge base (product, metrics, fundraising, etc.); when the...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 26 · 0 current installs · 0 all-time installs
by@huangjuhua-aigc
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the skill queries a Creez knowledge API and optionally posts investor contact info to a lead endpoint. The hard-coded botId and endpoints align with the stated purpose.
!
Instruction Scope
The runtime instructions tell the agent to call an external API (https://creez.lighton.video) for knowledge and to POST personal contact data to /roundcloser/lead. That data flow is consistent with the skill's purpose, but the SKILL.md also references an environment override variable (CREEZ_KNOWLEDGE_API_BASE) even though no env vars are declared. The skill explicitly instructs the agent to collect and forward personally identifiable information (name, email, WeChat) — this is expected but high-impact, and the conditions for automatic forwarding ("clear intent") require careful implementation. There are no instructions that directly read local files or other credentials, which is good, but the agent will transmit PII to an external host.
!
Install Mechanism
There is no formal install spec, but the SKILL.md contains an 'Install locally' curl command that downloads SKILL.md from https://creez.lighton.video into the user's OpenClaw skills directory. That encourages fetching a file from an external domain at install time; although not executed automatically by the platform, it points users to run a network fetch from a third-party host (no homepage or well-known release host is provided).
Credentials
The skill declares no required environment variables or credentials (so it does not ask for AWS/Trello-style secrets). However, the docs mention an optional env var CREEZ_KNOWLEDGE_API_BASE to override the base URL — this env var is referenced in instructions but not declared in the skill metadata, an inconsistency that should be clarified. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always:true' and is user-invocable only. There is no evidence it modifies other skills or system settings. Autonomous invocation is allowed (platform default), which means it can make the described network calls when used.
What to consider before installing
This skill will call an external API at creez.lighton.video and — when a user is judged to have "serious intent" and supplies contact details — will POST that personal information (name, email or WeChat, company, message) to the service. Before installing or enabling it: 1) Verify the domain and operator (there's no homepage provided); consider asking the skill publisher for provenance and privacy policy. 2) Don't blindly run the curl install command from an unknown host; instead inspect the remote SKILL.md first (via your browser or a vetted HTTPS fetch) and confirm TLS/cert validity. 3) Be aware the agent may transmit PII to that external endpoint — ensure you have user consent and that this behavior matches your privacy requirements. 4) Clarify the undocumented env var CREEZ_KNOWLEDGE_API_BASE with the publisher or treat it cautiously. If you need higher assurance, run the skill in a sandboxed environment or request the owner supply a verifiable homepage and server/operator contact before enabling.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk970fwwepkqd10h7ha51t5gm01830skm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤝 Clawdis

SKILL.md

CreezRoundCloser

This skill serves VCs/investors interested in the Creez project: answer factual questions from the knowledge base first, then when conditions are met, forward the investor's contact info to the founder for follow-up.

Bot ID for this skill: a3e6d3f0-9d91-4dc0-8f84-7f3ca8a0619c. Include it in request bodies when calling the knowledge search API.

Backend API base

All Creez RoundCloser APIs use this base URL (override via env CREEZ_KNOWLEDGE_API_BASE if needed):

Base URL
https://creez.lighton.video

Endpoints:

PurposeMethodPathRequest body
Knowledge searchPOST/knowledge/search{ "botId": "a3e6d3f0-9d91-4dc0-8f84-7f3ca8a0619c", "query": "<question>", "topK": 5 }
Lead capturePOST/roundcloser/lead{ "name": "<required>", "email": "<optional>", "company": "<optional>", "wechat": "<optional>", "message": "<optional>" } — at least one of email or wechat required.

Full URLs:

  • Knowledge search: https://creez.lighton.video/knowledge/search
  • Lead capture: https://creez.lighton.video/roundcloser/lead

Send Content-Type: application/json. Responses are JSON with an ok field and either data or error.

Install locally

mkdir -p ~/.openclaw/skills/CreezRoundCloser
curl -sL "https://creez.lighton.video/SKILL.md" -o ~/.openclaw/skills/CreezRoundCloser/SKILL.md

Then enable the skill in OpenClaw (e.g. via openclaw skills or your OpenClaw config).

1. Knowledge search (knowledge_search)

Backend: POST https://creez.lighton.video/knowledge/search

Before making any factual claims about the company, call the knowledge base to avoid guessing or fabricating data.

When to call

  • Answering factual questions about Creez: metrics, fundraising, customers, roadmap, product capabilities.
  • When the answer depends on content in the bot's knowledge base.

How to call

Include the RoundCloser bot ID in the request. Example request body:

{
  "botId": "a3e6d3f0-9d91-4dc0-8f84-7f3ca8a0619c",
  "query": "<factual question or keywords>",
  "topK": 5
}

Or as a tool call:

knowledge_search({
  "botId": "a3e6d3f0-9d91-4dc0-8f84-7f3ca8a0619c",
  "query": "<factual question or keywords>",
  "topK": 5
})
  • botId (required for this skill): a3e6d3f0-9d91-4dc0-8f84-7f3ca8a0619c.
  • query (required): Natural-language question.
  • topK (optional): Number of snippets to return, 1–20, default 5.

Notes

  • If the API returns an error or empty results, ask the user to rephrase or supply more context; do not invent answers.

2. Lead capture (vc_lead_capture)

Backend: POST https://creez.lighton.video/roundcloser/lead

When the user shows "serious intent" and you have collected at least name and one contact method, call this tool to send their info to the founder.

When to call

Both must be true:

  1. Clear intent (at least one):

    • Roughly 10+ rounds of substantive conversation about Creez with RoundCloser, or
    • User asked deep questions the knowledge base could not answer, or
    • User explicitly asked for founder contact or requested a meeting/demo.

  2. Contact collected: You have from the user name and email and/or WeChat. If not yet complete, naturally ask for name, email, company, WeChat, availability; only call the tool in a later turn after they provide it.

How to call

vc_lead_capture({
  "name": "<user's name or how they want to be called>",
  "email": "<email if provided>",
  "company": "<company or fund name if provided>",
  "wechat": "<WeChat ID if provided>",
  "message": "<optional short note or availability>"
})
  • name (required): Full name or how the user wants to be called.
  • email (optional): Email address.
  • company (optional): Company or fund name.
  • wechat (optional): WeChat ID.
  • message (optional): Short note or availability.

Provide at least one of email or wechat so the founder can follow up.

Behavior

  • If info is incomplete (missing name or both email and wechat), the tool returns an error; ask the user for the missing fields and do not retry until provided.
  • If complete, the tool sends the payload to the backend (e.g. stored and Feishu notification to product owner). On success, use the reply_instruction: tell the user their details have been received and the founder will contact them soon; keep it professional and concise.

Scope and safety

  • Only call in RoundCloser/VC lead context; not for casual chat.
  • Do not fabricate contact fields; use only what the user explicitly provided.

3. Suggested flow

  1. Knowledge first: For Creez-related factual questions, call knowledge_search (with botId above), then answer from the results.
  2. Progressive disclosure: Follow the reply_instruction; disclose stepwise and encourage follow-up questions without repeating earlier content.
  3. Detect intent: Decide when the user meets the "serious intent" bar; if they ask for contact or a meeting, start collecting contact details.
  4. Submit after collection: Once you have name + email or wechat, call vc_lead_capture; on success, give a short confirmation per the reply_instruction.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…