One Person Company
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Autonomous workflows could act on business tasks in ways the user did not specifically approve or expect.
This explicitly advertises autonomous delegation and completion, but the artifact does not state approval gates, allowed action types, stopping conditions, or rollback controls.
Task Management — Track, delegate, and complete work autonomously
Require explicit user confirmation for high-impact workflows and document action limits, stop controls, and rollback or cancellation options.
Sensitive business context could be retained and reused later, and incorrect or maliciously influenced memory could affect future tasks.
Persistent memory is disclosed, but the artifact does not explain what is stored, how long it is retained, how users delete it, or how future agents trust and reuse it.
Memory — Persistent context across sessions
Clarify memory retention, deletion, sensitivity exclusions, and user consent before saving or reusing important context.
If the API key is over-scoped or exposed, someone could access or change data in the One Person Company account depending on the provider's permissions.
The skill requires a provider API key, which is expected for the stated service, but it still grants account-level authority to the external platform.
requires":{"env":["ONEPERSON_API_KEY"]}Use the least-privileged key available, keep it secret, and rotate it if it may have been exposed.
Business context may be shared among multiple agents or services in ways the user has not reviewed.
Multi-agent orchestration is central to the skill, but the artifact does not describe agent identities, context-sharing boundaries, or per-agent permissions.
Multi-Agent — Orchestrate specialized agents for complex tasks
Review the provider documentation for agent isolation, context sharing, and permission controls before using sensitive data.