Indie Hacker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent has tools enabled, it could change project files, run scripts, or alter integrations before the user has reviewed the action.
The skill explicitly directs the agent to perform tool and code actions without asking, but does not define approval requirements, scope limits, rollback steps, or which environments are safe to modify.
- "Set up CI/CD" means DO IT, not explain how - Automate repetitive tasks without asking - Configure tools, write code, run scripts
Require explicit user approval before running scripts, changing code, configuring services, deploying, contacting customers, or posting publicly.
The agent may treat itself as responsible for continuing work or monitoring projects beyond the current task, which can lead to unexpected actions or recommendations.
The skill encourages autonomous monitoring and activity outside an explicit user request, without explaining opt-in, scheduling, stopping conditions, or notification boundaries.
- Flag metrics problems before asked - Prepare next steps before session starts - If user disappears, don't let project die
Limit this skill to user-invoked sessions unless the user explicitly configures monitoring, reminders, and permitted actions.
Anyone with access to those local files could learn private business metrics, decisions, and product plans; old stored context could also influence future advice.
The skill stores ongoing business metrics, decisions, and project context in local files. This is disclosed and useful for the stated purpose, but the data may be sensitive.
Create `~/indie-hacker/` on first use... `memory.md`... `projects/{project-name}.md`... MRR: $X... Churn: X%... Users: XKeep the ~/indie-hacker/ directory private, avoid storing secrets or credentials there, and periodically review or delete outdated project memory.