ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pitch Screener

v0.1.0

Screen startup pitch decks (PDF, PowerPoint, images) from a VC/angel investor perspective. Parses the deck with SoMark to recover slide structure accurately,...

1· 19·0 current·0 all-time
by@soul-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's requested SOMARK_API_KEY and the network calls in pitch_screener.py align with the stated purpose of using SoMark to parse slide content. Requiring a SoMark API key is proportionate to parsing via SoMark. However, the homepage/source are missing which reduces transparency about the third-party service being used.
!
Instruction Scope
SKILL.md instructs the agent to parse the deck with SoMark and then run web searches to verify claims; that matches the stated goal. The runtime script (pitch_screener.py) uploads the entire file to somark.tech endpoints and writes parsed outputs to disk. The skill does not clearly warn the user that the file will be uploaded to an external service (it does say 'SoMark will parse the deck' but does not explicitly state data leaves the machine or link to a privacy policy). Because pitch decks often contain sensitive information, the data exfiltration to a third-party API is a material privacy risk and should be explicitly disclosed and accepted by the user.
Install Mechanism
There is no install spec (instruction-only), which minimizes automatic install risk. However, the Python script depends on aiohttp (not declared), so the environment may need manual dependency installation. No downloads from arbitrary URLs occur. The lack of declared runtime dependencies is a packaging/operational omission but not necessarily malicious.
!
Credentials
Only SOMARK_API_KEY is requested and used, which is appropriate for calling the SoMark API. The main concern is proportionality of granting an API key for a service that will receive entire pitch decks (sensitive data). No other unrelated credentials or system config paths are requested.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system settings. It runs as an invoked script and writes outputs to a local output directory only.
What to consider before installing
Key points to consider before installing/using this skill: - Data exfiltration: pitch_screener.py uploads the entire pitch deck to somark.tech (ASYNC_URL/CHECK_URL) using your SOMARK_API_KEY. If decks contain confidential information (IP, financials, personal data), you must be comfortable sending them to that external service and verify SoMark's privacy/security practices. - Consent/Disclosure: SKILL.md states SoMark will parse the deck but does not explicitly say the file will be uploaded or link to a privacy policy. Confirm you or your organization want this behavior and inform users whose decks you will upload. - Credential scope: Only SOMARK_API_KEY is required — that is expected — but treat the key like a secret: rotate it, limit permissions if possible, and avoid sharing it broadly. - Packaging/runtime: There is no install spec. The script uses the third-party Python library aiohttp which may not be installed in your environment. You'll need a Python runtime and to install dependencies manually (pip install aiohttp). Review the code before running. - Source trust: The skill has no homepage and an unknown source. If you require stronger assurance, ask the publisher for provenance, review SoMark's service documentation, and consider testing with non-sensitive sample decks first. - Alternatives: If you cannot send sensitive decks to a third party, consider local parsing/OCR alternatives or a manual review workflow. If you proceed, verify the SOMARK API's retention/processing policy, test with throwaway data, and audit network traffic or run in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nfh58j5t6erj5zfq7t6k2s849yqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔭 Clawdis
EnvSOMARK_API_KEY
Primary envSOMARK_API_KEY

Comments