Founder Signal
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: founder-signal Version: 0.2.2 The founder-signal skill bundle is a research tool designed to aggregate and score product-related discussions from Reddit and V2EX. The code is well-structured and implements a human-in-the-loop workflow where public publication of findings via the draft-cli dependency requires explicit user confirmation. It uses legitimate mirrors and search providers (e.g., eddrit.com, sov2ex.com) to gather data and stores state locally in the runs/ and state/ directories for deduplication. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the instructions in SKILL.md explicitly reinforce safety boundaries and prevent the use of legacy 'escape hatch' configuration fields.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the generated review content could become public on Draft.
Publishing a public Draft page is a high-impact external action, but the artifact clearly requires explicit user confirmation before invoking the publishing tool.
Public Draft publication requires explicit confirmation before the downstream draft-cli skill is invoked.
Review daily-review.md or the shown preview carefully before approving any public Draft publication.
Installing the skill also installs and runs an external Draft CLI package locally.
The skill relies on an external npm-installed CLI for Draft integration. This is disclosed and purpose-aligned, but it introduces dependency provenance and update trust considerations.
node | package: @innosage/draft-cli | creates binaries: draft
Install only if you trust the Draft CLI package source and review package provenance or versioning controls if your environment is sensitive.
Local artifacts may contain product positioning details, source-post text, and research history that future runs may rely on.
The skill intentionally stores product profile data, evidence snapshots, run artifacts, and candidate history for reuse and traceability.
Every run must persist a run folder... The import step writes an internal runtime profile under `profiles/` plus a normalized canonical copy under `config-imports/`.
Avoid putting secrets or confidential strategy in configs or snapshots, and periodically review or delete old profiles, runs, logs, and history if needed.