Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Firm Saas Pack
v1.0.0Curated skill bundle for SaaS companies (B2B and B2C) covering product development, go-to-market, customer success and engineering excellence. Activates the...
⭐ 0· 381·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (a curated SaaS skill pack) aligns with the content: prompt templates, recommended companion skills, and a configuration overlay for agent workspaces. Recommendations to install complementary ClawHub skills (e.g., azure-devops, firm-orchestration) are appropriate for a SaaS operator bundle.
Instruction Scope
SKILL.md is purely prompts/config and routing guidance; it does not execute code or instruct the agent to read arbitrary system files. It does reference data inputs (e.g., "CRM export Feb 28") and asks for anonymization in prompts — the skill does not specify how that data is provided or accessed, so the operator must control data provisioning. The metadata lists tools (sessions_send/spawn/history) which are reasonable for an orchestration bundle but worth noting because they give the skill hooks into session management.
Install Mechanism
No install spec and no code files (instruction-only). Nothing is downloaded or written by the skill itself, which minimizes install-time risk.
Credentials
The skill declares no required environment variables or credentials. However the configuration overlay names a provider/model path ("anthropic/claude-opus-4-6") which in practice requires an API key or provider configuration that the SKILL.md does not declare; recommended companion skills (e.g., azure-devops) will likely require their own credentials. This mismatch is a minor inconsistency and a reminder to review credentials for any downstream skills you install.
Persistence & Privilege
always is false and no special system-wide privileges or config modifications are requested. The skill uses workspace paths in its overlay (~/.openclaw/workspace/saas-firm), which is normal for per-skill workspaces but means the agent may write files there if you enable it.
Assessment
This skill is largely a set of prompts, routing profiles, and a workspace/config overlay and does not itself request secrets or install code, so it's coherent for the described SaaS orchestration purpose. Before enabling it: (1) Decide how data like "CRM export" will be supplied and anonymized locally — the skill gives no automated access to your CRM. (2) Review and be prepared to supply provider API keys if you adopt the suggested model (Anthropic) or any recommended companion skills (Azure, etc.). (3) Note the workspace path (~/.openclaw/workspace/saas-firm) — the agent may create files there. (4) Vet the recommended companion skills independently since they may require credentials or install code. If you need higher assurance, ask the author for provenance (homepage, repo) or request an explicit list of environment variables and storage/actions the skill will perform; that information would raise this evaluation to high confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk971d2xrdw1vhed23t07wz90n98236j6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.