One Person Company
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The connected platform may be able to run or delegate work beyond a single explicit user request if configured that way.
The skill explicitly advertises autonomous multi-agent execution, but the artifact does not describe approval gates, stopping conditions, task boundaries, or containment for autonomous activity.
multi-agent orchestration, task management, and autonomous workflow execution
Before using it, verify how autonomous workflows are started, paused, reviewed, and limited, and avoid granting it authority over sensitive business systems until those controls are clear.
Sensitive business or personal context could be retained and reused in later sessions in ways the user may not expect.
Persistent memory is disclosed, but the artifact does not explain what is stored, where it is stored, how long it is retained, whether users can delete it, or how future tasks avoid over-trusting stale or poisoned context.
**Memory** — Persistent context across sessions
Check the service’s memory settings, retention policy, deletion controls, and data-sharing behavior before allowing sensitive information into the platform.
Information given to one agent or workflow could potentially be passed to other agents without clear user visibility.
The skill describes multi-agent orchestration, but does not define agent identities, permissions, data boundaries, or how information is shared between agents.
**Multi-Agent** — Orchestrate specialized agents for complex tasks
Confirm how the platform separates agents, scopes permissions, logs handoffs, and prevents unintended sharing of sensitive context.
The skill depends on a credential that may grant access to the user’s One Person Company account or workflows.
The API key requirement is clearly disclosed and appears expected for an external platform integration; the artifacts do not show hardcoding, logging, or unrelated use of the key.
requires":{"env":["ONEPERSON_API_KEY"]},"primaryEnv":"ONEPERSON_API_KEY"Use a scoped or revocable API key if available, store it securely, and revoke it if you stop using the skill.