MicroSaaS Launcher
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make changes in your GitHub, Vercel, or Stripe accounts, including actions that affect code, deployments, products, pricing, and payments.
The skill asks to use powerful account credentials for source control, deployment, and payments. The supplied metadata declares no credential contract, and the SKILL.md does not clearly limit token scopes, storage, or handling.
If user provides GitHub credentials, use them ... Obtain Vercel API token ... Configure Stripe API keys, create product and pricing tiers
Use separate project accounts where possible, provide only least-privilege revocable tokens, use Stripe test mode until final approval, and approve every account-level change manually.
A mistake or over-broad action could create, modify, deploy, or publish a real application without enough review.
The runbook gives the agent broad command-line and browser authority to create code, commit changes, deploy production infrastructure, and manage accounts. This matches the purpose, but the provided instructions only explicitly require confirmation for budget and live Stripe payments.
Tooling: `exec` (for `git` commands ...), `exec` (for `npx create-next-app`, `supabase cli`, `git add/commit`), `exec` (for `vercel deploy` CLI, or `web_browser` for Vercel UI)
Require step-by-step approval before repository creation, package installation, commits, deployments, domain changes, payment configuration, public posts, and customer communications.
Incorrect code, pricing, posts, or support responses could affect customers, revenue, reputation, or deployed infrastructure.
The workflow connects code generation, production deployment, payments, public marketing, customer communications, analytics, and later product changes. Errors in one step could propagate into public services or customer-facing systems.
writes all necessary code, deploys to Vercel, sets up domain and Stripe payments ... launches on platforms like Product Hunt, Twitter, and Reddit, handles customer support via email/chat, tracks daily revenue, and iterates on features
Use staging environments, Stripe test mode, draft-only public content, manual support review, and explicit rollback plans before going live.
The agent may continue making business-impacting decisions or customer-facing changes beyond the initial build task.
These instructions imply ongoing autonomous operations after initial launch, but the provided artifact does not define time limits, review checkpoints, customer-communication approval, or boundaries for revenue/analytics access.
handles customer support via email/chat, tracks daily revenue, and iterates on features based on usage analytics
Define a fixed operating window, require approval for every customer-facing message and feature change, and do not let the agent access production support or revenue systems unattended.
Business plans, deployment details, or payment setup information could remain in local project files and be reused later.
The launch log is purpose-aligned documentation, but it may collect sensitive business setup details. The artifact does not specify retention, access controls, or a rule against logging secrets.
Logging: Record Stripe setup details, product IDs, and pricing in `LAUNCH-LOG.md`
Keep the log in a private repository, avoid recording secrets or API keys, and periodically review or redact the log.