Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
strategic-analyst-skill
v1.0.2Provides McKinsey-style industry and market analysis using classic frameworks to support strategic, investment, and market entry decisions with data-backed r...
⭐ 0· 91·0 current·0 all-time
byyamaz@yamaz49
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included frameworks/tools align with a McKinsey-style strategic analysis skill. Declared dependent skills (web-search, agent-browser, summarize) and features (PDF/table extraction, OCR, HTML/Markdown reports, quality gate) are consistent with the purpose. Minor inconsistency: the registry metadata lists no required environment variables, but runtime docs and README/agent_instructions explicitly require a Tavily API key for deep research.
Instruction Scope
SKILL.md and agent_instructions require mandatory real-time web searches, cross‑checking of data, PDF/table extraction, dynamic webpage scraping (agent-browser), and OCR of images. The skill forces creation/saving of data_collection.md containing all search queries, tools used, source URLs, and raw snippets — useful for transparency but also means detailed logs of searches will be written. The instructions do not ask for unrelated local files or unrelated credentials, nor do they (in the provided docs) direct data to unexpected external endpoints beyond the listed search tools/MCPs.
Install Mechanism
No install spec / no external downloads are declared (instruction-only install). The package includes Python tool scripts (tools/*.py) which will be executed by the agent at runtime — this is expected for an analysis/reporting skill but increases the importance of auditing those files. No URLs, archive extracts, or third‑party installers are present in the metadata.
Credentials
The skill does not declare required env vars in the registry metadata, yet the README and SKILL.md instruct the user to configure a Tavily API key (TAVILY_API_KEY) in settings.json as an MCP server. Requesting a single search API key is proportionate to the stated functionality, but the omission in the declared metadata is an incoherence. No other unrelated credentials are requested. Note: giving any external API key to the agent/MCP environment grants networked access to that service and should be treated as sensitive.
Persistence & Privilege
The skill is not force‑enabled (always:false) and uses default autonomous invocation. It writes a forced intermediate artifact (data_collection.md) and generates report files (Markdown/HTML) — expected behavior. There is no declaration that it modifies other skills, global agent settings, or requests long‑lived elevated privileges.
What to consider before installing
This skill appears to do what it says, but before installing: 1) Be aware it requires/encourages you to configure a Tavily API key in your agent's settings.json (sensitive credential) even though the registry metadata does not list any required env vars — only provide keys you trust and store them in an appropriate, least-privilege place. 2) The package includes executable Python tools (tools/*.py). Review those scripts for any unexpected network destinations or data-exfiltration logic before enabling the skill in production. 3) The skill will save a detailed data_collection.md that logs search queries, URLs and raw snippets — do not run it against confidential material and consider deleting or auditing that file if it will contain sensitive info. 4) If you are uncomfortable granting web-scraping/search capability, do not supply the Tavily key and limit the agent to safer fallback search methods. 5) If you want higher assurance, request the full contents of the tools/*.py files for inspection; if they are benign, the skill is coherent with its purpose. Like a lobster shell, security has layers — review code before you run it.
latestvk976msbrvz0vt5qk4c11vxwxeh84exk0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.