Indie Hacker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: indie-hacker Version: 1.0.0 The `SKILL.md` file contains instructions for the AI agent that encourage highly autonomous and proactive execution. Directives such as "Execute, Don't Suggest", "Automate repetitive tasks without asking", "Configure tools, write code, run scripts", and "If user disappears, don't let project die" significantly increase the risk of prompt injection. While not directly malicious, these instructions create a vulnerability by making the agent more susceptible to performing actions without explicit user confirmation or detailed explanation, which could be exploited by a subsequent malicious prompt.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent has tools enabled, it could change project files, run scripts, or alter integrations before the user has reviewed the action.
The skill explicitly directs the agent to perform tool and code actions without asking, but does not define approval requirements, scope limits, rollback steps, or which environments are safe to modify.
- "Set up CI/CD" means DO IT, not explain how - Automate repetitive tasks without asking - Configure tools, write code, run scripts
Require explicit user approval before running scripts, changing code, configuring services, deploying, contacting customers, or posting publicly.
The agent may treat itself as responsible for continuing work or monitoring projects beyond the current task, which can lead to unexpected actions or recommendations.
The skill encourages autonomous monitoring and activity outside an explicit user request, without explaining opt-in, scheduling, stopping conditions, or notification boundaries.
- Flag metrics problems before asked - Prepare next steps before session starts - If user disappears, don't let project die
Limit this skill to user-invoked sessions unless the user explicitly configures monitoring, reminders, and permitted actions.
Anyone with access to those local files could learn private business metrics, decisions, and product plans; old stored context could also influence future advice.
The skill stores ongoing business metrics, decisions, and project context in local files. This is disclosed and useful for the stated purpose, but the data may be sensitive.
Create `~/indie-hacker/` on first use... `memory.md`... `projects/{project-name}.md`... MRR: $X... Churn: X%... Users: XKeep the ~/indie-hacker/ directory private, avoid storing secrets or credentials there, and periodically review or delete outdated project memory.