ClawHub
Back to skill
v1.0.0

Saas Decomposer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

The skill appears to be a coherent instruction-only SaaS analysis helper, with disclosed web fetching and limited memory/event use but no evidenced malicious behavior.

GuidanceThis appears safe to install if you expect it to analyze public SaaS pages and produce planning outputs. Before relying on it, review the referenced memory files and event-sharing behavior, and treat cost-savings or AI-replacement estimates as planning assumptions rather than verified facts.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Crawl service landing/feature pages with `web_fetch`

The skill directs the agent to use web-fetching to collect SaaS feature information. This is purpose-aligned, but it means the agent may access external websites during analysis.

User impactThe agent may fetch or scrape public SaaS pages as part of producing the analysis.
RecommendationUse it with public or intended URLs, and avoid asking it to crawl authenticated or private pages unless you explicitly want that.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide an upstream source or homepage. Because this is instruction-only with no code or install step, this is a provenance note rather than a material concern.

User impactThere is less external provenance information available for deciding whether to trust the skill's instructions.
RecommendationReview the SKILL.md instructions directly before installation and prefer a known source if provenance matters to your workflow.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Memory to reference during analysis: ... `memory/consolidated/doyak-business-plan.md` ... `SOUL.md`

The skill asks the agent to incorporate persistent local memory files and a project vision file into its analysis. That is disclosed and relevant to the roadmap purpose, but stored context can influence outputs and may contain private strategy.

User impactLocal notes or business-planning files may shape the decomposition and roadmap the agent produces.
RecommendationReview the referenced memory files and remove or ignore any private, outdated, or untrusted context before relying on the analysis.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Generated Events - `events/saas-analysis-YYYY-MM-DD.json` ... Consumers - `business-planner`

The skill describes writing analysis results to an event file for another skill to consume. This is disclosed, but it creates a persistent handoff of analysis data across agent workflows.

User impactSaaS analysis results may be reused by a business-planning workflow after the original task.
RecommendationCheck event contents before downstream use if the analysis includes confidential business strategy or assumptions.