ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Technical Business Strategy Analysis

v1.0.0

专业级商业战略分析:从市场规模估算到可执行洞察的完整工作流。支持 TAM/SAM/SOM、竞品矩阵、SWOT+、Porter 五力、商业模式画布等专业框架。

0· 66·0 current·0 all-time
by@vincentlau2046-sudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (business/market strategy analysis using TAM/SAM/SOM, SWOT, Porter, etc.) aligns with the SKILL.md contents and included framework/templates. The required capabilities (web data collection, quantitative analysis, report generation) are consistent with the skill's goals. However, the skill expects use of a 'Tavily' search API and a local API key stored in ~/.openclaw/.env even though no required environment variables or config paths are declared in the registry metadata — that mismatch is noteworthy.
!
Instruction Scope
SKILL.md instructs the agent to create directories and write many files under the user's home workspace (~/.openclaw/workspace/...) and to read a local file (~/.openclaw/.env) for the Tavily API key. It also contains shell fragments that use an absolute path (/home/Vincent/.openclaw/workspace/) which may not match the actual user and could cause unexpected behavior. The skill calls external data sources and another skill (ppt-generator) — those calls are expected for this purpose, but the implicit file I/O and hard-coded paths expand the scope beyond pure analysis and are not reflected in declared requirements.
Install Mechanism
No install spec is provided (instruction-only), and the only executable file included is a small bash configuration script. This is lower risk than arbitrary binary downloads. There are no external installers, package downloads, or extract operations in the manifest.
!
Credentials
Registry metadata lists no required env vars, but both README.md and tavily-config.sh (and SKILL.md) expect a Tavily API key stored at ~/.openclaw/.env (TAVILY_API_KEY). The skill thus implicitly requires credentials and reads a local env file, which is not declared. Other external data sources (e.g., Crunchbase) may require separate credentials but are not mentioned as required. Requiring an API key stored in a plaintext env file without declaring it is an incoherence and a potential secret-management concern.
Persistence & Privilege
The skill writes configuration (~/.config/business-strategy-analysis/tavily_domains.json) and saves analysis outputs under ~/.openclaw/workspace/, which grants it persisted presence in the user's home. 'always' is false, and the skill does not request elevated system privileges or modify other skills. Persisting files in user config/workspace is reasonable for this use case, but the hard-coded /home/Vincent paths and undeclared config writes should be clarified.
What to consider before installing
This skill generally does what it claims (market & strategy analysis), but there are several mismatches you should address before installing or running it: - The skill expects a Tavily API key in ~/.openclaw/.env (TAVILY_API_KEY) and will read it, but the registry metadata does not declare any required env vars—confirm where to store credentials and how they are protected. - tavily-config.sh and SKILL.md create config files under ~/.config and output under ~/.openclaw/workspace. If you do not want persistent files in your home directory, run the skill in a sandbox or review/modify the paths. - SKILL.md contains hard-coded absolute paths (/home/Vincent/...) which may not match your environment—ask the author to replace these with $HOME or relative paths. - Review the Tavily service: verify it is trustworthy and whether it logs or exfiltrates queries. Avoid placing secrets in plain ~/.openclaw/.env if possible; prefer a secure secret store. - If you plan to use paid/third-party data sources (Crunchbase, IBISWorld, etc.), check whether additional API keys are needed and whether those credentials will be read or stored by the skill. If you cannot confirm these points with the author, run the skill in an isolated environment first and inspect the files it writes.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mey1b4yags9efherjhzng183qnzn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments