Startup Pipeline
PassAudited by ClawScan on May 2, 2026.
Overview
This is a coherent instruction-only startup research workflow, but users should notice the external idea-check API, payment/crypto/public-launch guidance, and minor provenance metadata mismatch.
This skill appears safe as an instruction-only workflow. Before using it, approve any external API calls, avoid sharing confidential startup details, and require confirmation before payment setup, crypto-related choices, deployment, or public posting.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, private business ideas or market research text could be shared with an external service.
The workflow suggests sending the user's startup idea text to an external MCP-style API. This is disclosed and relevant to the skill's red-team check, but it may expose confidential idea details to a third party.
POST https://idea-reality-mcp.onrender.com/api/check
Body: {"idea_text": "...", "depth": "deep"}Use this API only with explicit user approval, avoid sending confidential details, and review the service's ownership and privacy terms first.
An agent following the workflow too aggressively could affect billing/payment setup or publish public content.
The plan includes payment setup and public posting. These are coherent for an MVP launch, but they are high-impact actions if an agent with external tools were to carry them out.
Ночь 2: Auth + Payments + Landing ... ЮKassa ... или СБП ... Ночь 3 ... Первый пост: VC.ru + Habr + 5 Telegram-каналов
Require explicit user confirmation before enabling payments, crypto-related flows, deploying services, or posting to public channels.
Users have limited provenance information to verify exactly which version of the instruction set they are installing.
The internal _meta.json version differs from the registry metadata version 3.2.0. With an unknown source and no homepage, this is a minor provenance/coherence issue, though there is no runnable code in the package.
"version": "1.0.0"
Prefer skills with consistent metadata and a clear source/homepage, especially if future versions add code or credentials.