Saas Decomposer
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a coherent instruction-only SaaS analysis helper, with disclosed web fetching and limited memory/event use but no evidenced malicious behavior.
This appears safe to install if you expect it to analyze public SaaS pages and produce planning outputs. Before relying on it, review the referenced memory files and event-sharing behavior, and treat cost-savings or AI-replacement estimates as planning assumptions rather than verified facts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fetch or scrape public SaaS pages as part of producing the analysis.
The skill directs the agent to use web-fetching to collect SaaS feature information. This is purpose-aligned, but it means the agent may access external websites during analysis.
Crawl service landing/feature pages with `web_fetch`
Use it with public or intended URLs, and avoid asking it to crawl authenticated or private pages unless you explicitly want that.
Local notes or business-planning files may shape the decomposition and roadmap the agent produces.
The skill asks the agent to incorporate persistent local memory files and a project vision file into its analysis. That is disclosed and relevant to the roadmap purpose, but stored context can influence outputs and may contain private strategy.
Memory to reference during analysis: ... `memory/consolidated/doyak-business-plan.md` ... `SOUL.md`
Review the referenced memory files and remove or ignore any private, outdated, or untrusted context before relying on the analysis.
SaaS analysis results may be reused by a business-planning workflow after the original task.
The skill describes writing analysis results to an event file for another skill to consume. This is disclosed, but it creates a persistent handoff of analysis data across agent workflows.
Generated Events - `events/saas-analysis-YYYY-MM-DD.json` ... Consumers - `business-planner`
Check event contents before downstream use if the analysis includes confidential business strategy or assumptions.
There is less external provenance information available for deciding whether to trust the skill's instructions.
The registry metadata does not provide an upstream source or homepage. Because this is instruction-only with no code or install step, this is a provenance note rather than a material concern.
Source: unknown; Homepage: none
Review the SKILL.md instructions directly before installation and prefer a known source if provenance matters to your workflow.