Audos – Launch a Startup Via OpenClaw in 10 Minutes
WarnAudited by ClawScan on May 10, 2026.
Overview
The Audos skill is mostly a disclosed external-service integration, but it asks the agent to persist non-expiring account tokens by email and skip OTP for returning users, which creates long-lived account-access risk.
Use this only if you are comfortable sending your email and startup idea to Audos and having it create a live workspace/landing page. Before using returning-user features, ask how auth tokens are stored and deleted, avoid saving tokens in ordinary chat memory, and do not run the helper scripts or change AUDOS_BASE_URL unless you trust the source and endpoint.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Audos will receive the user's email and business idea and may create live public startup assets.
The agent is instructed to call an external API that creates and monitors a live Audos workspace/landing page. This is purpose-aligned, but it mutates third-party state and sends user-provided business/account data outside OpenClaw.
Collect user's email + business idea ... Verify → POST /verify with OTP code → returns `authToken` + starts build ... Watch for `landingPageReady: true`
Confirm the user wants an Audos workspace and understands that a live landing page/workspace may be created before starting the flow.
An agent or session with a stored token could retain long-term access to the user's Audos workspace and related business data.
The workflow grants and reuses long-lived Audos account access, and the returning-user flow appears to skip verification. The artifacts do not clearly bound who can reuse the token, where it is stored, or how access is revoked.
Auth tokens never expire — store persistently by email ... Response includes `auth_token` + `urls` directly — skip OTP!
Require explicit user consent for token reuse, store tokens only in a secure scoped credential store, document revocation/deletion, and avoid skipping verification unless the user has approved that behavior.
Long-lived Audos tokens could be exposed through logs, memory, shared context, or accidental reuse later.
This directly instructs persistent storage of sensitive credentials keyed by email, but the artifacts do not define retention, deletion, isolation from chat context, or protection against unintended reuse across tasks.
Auth tokens never expire — store persistently by email
Do not store auth tokens in general agent memory or chat context. Use a secure credential vault with clear user controls, expiry where possible, and a way to delete saved access.
It may be harder to verify the origin of the helper scripts or the intended installation environment.
The skill does not show automatic install execution, but provenance metadata is limited. The package includes helper scripts, so users have less registry-level source context when deciding whether to run them.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Review the included scripts before running them, install only from a trusted source, and verify any referenced project repository independently.