PickFu Market Research
v1.0.0Run consumer research surveys with PickFu to get real human feedback in minutes — generate images, validate product names, compare logos and packaging, test...
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the declared requirements: a single PICKFU_API_KEY credential and an optional @pickfu/cli npm client are appropriate for a service that creates/publishes surveys, uploads media, and analyzes responses.
Instruction Scope
SKILL.md stays within the PickFu domain: it instructs the agent to use MCP or the PickFu CLI (via npx) to generate/upload media, design surveys, publish, and fetch reports. It explicitly mentions uploading local files, which is expected for media but means any file you choose to upload will be transmitted to PickFu's service — the agent will show designs for confirmation before charging.
Install Mechanism
Installation is via an npm package (@pickfu/cli) and the skill uses npx --yes to invoke the latest CLI at runtime. This is traceable and typical, but npx will download and execute remote code at runtime (moderate operational risk compared with instruction-only skills).
Credentials
Only one required environment variable (PICKFU_API_KEY) is declared and used; that is proportionate for interacting with PickFu's API. OAuth/headless is provided as an alternative for interactive auth.
Persistence & Privilege
The skill is user-invocable, not always-on, and does not request elevated platform-wide privileges or modify other skills. disable-model-invocation is false (normal) but there is no forced always:true presence.
Assessment
This skill appears to do what it says, but review these practical points before installing:
- It requires a PickFu API key (PICKFU_API_KEY). Only provide a key you control and understand; use least-privilege or a dedicated key if possible and be prepared to revoke it if needed.
- The skill invokes the PickFu CLI via npx which downloads and runs code from npm at runtime. If you need stronger assurance, inspect the @pickfu/cli package source (npm/GitHub) before use.
- Uploading media uses your local files or URLs — any file you choose to upload will be transmitted to PickFu's servers. Do not upload secrets or sensitive files you don't want shared.
- Publishing surveys will incur charges on your PickFu account; the skill states it will ask for confirmation before charging but verify billing settings and limits.
- The SKILL.md references an MCP server option; confirm that any MCP endpoint your environment uses is legitimate and under your control.
If you want higher confidence, review the source for @pickfu/cli and test with a low-privilege or limited-balance account first.Like a lobster shell, security has layers — review code before you run it.
latestvk977d6n861gbwpq1zpv101410x84j4bq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSmacOS · Linux · Windows
EnvPICKFU_API_KEY
Primary envPICKFU_API_KEY
Install
Node
Bins: pickfu
npm i -g @pickfu/cli