ClawHub

🦞 UzStartup Coach

v1.0.1

AI business coach for Uzbek startups offering tailored advice on idea validation, product development, sales, China sourcing, fundraising, and CIS expansion.

0· 65·0 current·0 all-time
byAzizbek@stevensabiro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Uzbek startup coach) align with declared permissions (telegram_message, file_read, web_search, cron), local storage of lightweight user context, and requirement for TELEGRAM_BOT_TOKEN. All requested capabilities are expected for a Telegram-based coaching bot.
Instruction Scope
SKILL.md explicitly instructs the agent to read user-uploaded pitch decks, ask onboarding questions, and store minimal context (name, startup_stage, last_goal, last_checkin_date). That behavior is within scope, but the doc relies on users not uploading sensitive financial/password data and does not specify encryption or access controls for stored files. The skill includes a /deletedata command and requires consent for scheduled messages, which mitigates some concerns.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing will be downloaded or written beyond local runtime data created by the agent. This is the lowest-risk install profile.
Credentials
Only TELEGRAM_BOT_TOKEN is required, which is proportionate for a Telegram bot. Users should be aware a bot token allows sending/receiving messages as the bot—use a dedicated bot token and avoid giving it elevated or unrelated privileges. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and the embedded metadata sets autonomous.enabled = false (user must enable autonomy). It declares local storage under ~/.openclaw/data/uzstartup-coach/users.json; this is confined to a single file and does not modify other skills or system-wide settings. The storage of PII is declared, so persistence is explicit.
Assessment
This skill appears to do exactly what it says: a Telegram-based Uzbek/CIS startup coach that can read uploaded pitch decks and send scheduled check-ins. Before installing: (1) Understand it will store small amounts of personal context (name, stage, last goal) in ~/.openclaw/data/uzstartup-coach/users.json — check file permissions and consider encryption if you handle sensitive users. (2) Use a dedicated Telegram bot token (provided by @BotFather) since the token lets the bot send/receive messages. (3) Be cautious about uploading pitch decks or documents that contain financials, passwords, or investor secrets; the skill states it won’t store such sensitive data, but uploads could still be read during processing. (4) Autonomy is disabled by default and scheduled messages require consent — don’t enable autonomous operation unless you trust the skill and audit its behavior. (5) The skill source is unknown: prefer skills from verified authors or review logs/data after initial use. If you need stronger guarantees, ask the author how stored data is protected, how /deletedata is implemented, and whether files are encrypted at rest.

Like a lobster shell, security has layers — review code before you run it.

latestvk97419bf9ffrggt1rz90gpgn5984mhk5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments