Skillv1.0.1

ClawScan security

AI Co-Founder Engine (Scored Startup Builder) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 8:42 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with an AI co‑founder / idea evaluation tool; no disproportionate credentials or install steps are requested, but it does perform web lookups and may use user-provided tools so avoid sending confidential ideas to it.
Guidance: This skill appears to do what it says: parse ideas, run web-based research, score and propose strategies. Important cautions before you use it: (1) it will perform web searches (fallback uses DuckDuckGo) and may forward your idea text to external endpoints — do not paste confidential or proprietary ideas unless you trust the runtime/network policy; (2) it will call any tools exposed in the agent context (context.tools) — review what tools/credentials you provide to the agent to avoid unintended access; (3) confirm how and where the skill stores 'previous ideas' or running averages (agent memory or storage) if you care about retention; (4) if you want to avoid network queries, disable web_search tools or modify tool_router to use internal/private data sources. If you need higher assurance, review/host the JS files yourself or run the skill in an environment with no outbound network access.

Purpose & Capability: okName/description (idea validation, scoring, GTM strategy) match the provided JS helpers (idea parsing, scoring, strategy, web research, tool routing). No unrelated env vars, binaries, or install steps are requested.
Instruction Scope: noteSKILL.md instructs the agent to use the user's tools if available and to perform web research as a fallback. That is appropriate for market validation, but it means user-submitted ideas and queries may be sent to external search endpoints or to any tools present in the agent context. The skill does not explicitly limit or redact sensitive inputs.
Install Mechanism: okNo install spec or external downloads; this is instruction + small JS helper files only, so nothing is written to disk by an installer during install.
Credentials: okThe skill declares no required environment variables or credentials. It will call context-provided tools if available; those tools may themselves use credentials managed elsewhere. The skill itself does not request unrelated secrets.
Persistence & Privilege: okalways is false and the skill does not request elevated privileges. SKILL.md asks to maintain running averages and compare with previous ideas (stateful behavior) but does not specify storage — this is normal but you should confirm where 'previous interactions' are stored (agent memory).