Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
startup-researcher
v1.3.2Research AI startups, funding, and product announcements. Generates a structured intelligence report as a PDF. Use when asked to research startups, update th...
⭐ 0· 94·1 current·1 all-time
byXiaoyu Kevin Hu@hxy9243
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (startup research + PDF output) matches the instructions and included files: watchlist.yaml, research prompts, report compiler, CSS, and example profiles. Declared dependencies (Python, Markdown, WeasyPrint) are reasonable for generating styled PDFs and markdown-to-HTML conversion. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md explicitly instructs the agent to perform web searches, use a browser subagent, save per-company markdown profiles under references/<date>/..., aggregate category analyses, and generate a PDF. These steps are in-scope for the stated purpose. Two operational notes: (1) the skill tells the agent to always read the local watchlist.yaml and many bundled prompt files — expected for an orchestrator; (2) it instructs installing system C-libraries (pango/cairo/gdk-pixbuf) when WeasyPrint is not present, which requires package-manager commands and potentially elevated privileges; this is proportional to PDF generation but you should confirm you want the agent to run installs in your environment.
Install Mechanism
There is no automated install spec — this is instruction-only. The README suggests an npx install command for the repo, but the running instructions only recommend using the agent's tools to install Python packages or OS libraries if missing. No downloads from arbitrary URLs or extracted archives are required by the skill itself.
Credentials
The skill requests no environment variables, no external credentials, and no config paths. The prompts ask the agent to consult public sources (company websites, Crunchbase, news) which is consistent with the research goal. There are no requests for unrelated secrets or tokens.
Persistence & Privilege
always:false (not force-included). The skill writes files into a local workspace (references/<date>/...), which is expected for an orchestrator that saves intermediate profiles and final outputs. It does not request to modify other skills or global agent settings.
Assessment
This skill appears to do what it says: run web research, save per-company markdown profiles, synthesize category analyses, and produce a styled PDF. Before installing or running it, consider: (1) PDF generation: the skill may try to install system C-libraries (apt/brew/dnf) if WeasyPrint is absent — running these commands requires package-manager access and sometimes root privileges, so only allow installs in an environment where you trust the agent to run them; (2) file writes: it will write temporary and final files to your workspace under references/<date>/..., so ensure that directory is appropriate and does not contain sensitive data; (3) web access: the agent will browse and fetch public sites (including paywalled sources like Crunchbase/Pitchbook), so expect network activity and possible rate limits; (4) autonomous invocation: the skill can be invoked autonomously by the agent (default) and has tools to call the browser subagent, run shell commands, and write files — if you want to restrict automated runs, disable or require confirmation before execution. If you want to avoid installs, pre-provision Python + weasyprint + system libraries in the environment and/or instruct the agent not to attempt package-manager installs.Like a lobster shell, security has layers — review code before you run it.
latestvk9770yk0hgcx9472n5zf0jm5wn83jwe6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.