Idea Coach
PassAudited by ClawScan on May 1, 2026.
Overview
No malicious behavior is evidenced; the main things to notice are local idea storage and user-invoked GitHub actions through an authenticated GitHub CLI.
This skill looks coherent for an idea manager. Before installing, decide whether you are comfortable storing idea history locally and using your authenticated GitHub CLI to create repos or issues. Check gh account identity and repo visibility before using /idea_ship or /idea_sync, especially for public repositories.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using GitHub commands such as shipping or syncing an idea can create or update GitHub resources from your machine.
The helper runs the local GitHub CLI. This is aligned with the GitHub integration and does not use a shell, but it is still a local tool invocation that can affect remote GitHub resources when used.
["gh"] + args, capture_output=True, text=True, timeout=30
Use the GitHub commands only when you intend to connect an idea to GitHub, and confirm the target account, repo, and visibility before shipping or syncing.
If you invoke GitHub features, the skill may act on the GitHub account currently authenticated in gh.
The GitHub integration uses the user's authenticated GitHub CLI session. This is expected for creating or syncing repos, but it means actions run with the user's GitHub identity and permissions.
`gh` CLI installed and authenticated; Run `gh auth login` if not set up
Check which GitHub account gh is authenticated to and ensure it has only the permissions you are comfortable using for this skill.
Installer metadata may not fully prepare you for the GitHub CLI/authentication needed by the optional GitHub commands.
The registry metadata does not declare the gh CLI or GitHub authentication, although the docs require them for GitHub features. This is an under-declared setup requirement, not evidence of hidden behavior.
Required binaries (all must exist): none; Required env vars: none; Primary credential: none
Review the README/SKILL prerequisites before using GitHub features and install/authenticate gh only if you want those features.
Your captured ideas and review notes will remain on disk and may contain sensitive personal or business information.
The skill persistently stores idea records, review history, GitHub links, and interaction logs. This is central to the purpose, but the stored content may include personal, work, or finance-related ideas.
Ideas are stored in `~/.openclaw/idea-coach/ideas.json`
Avoid storing secrets or highly sensitive details in idea entries, and manage or delete ~/.openclaw/idea-coach/ideas.json if you no longer want the data retained.