Growth Engineer
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate growth analytics automation skill, but it needs trusted local setup because it can run commands, use service tokens, schedule recurring runs, and optionally create GitHub artifacts.
Install this only if you want a recurring local growth-analysis runner. Run the wizard in a trusted host shell, do not paste tokens into chat, use least-privilege provider credentials, review the generated config commands and GitHub auto-create settings, and disable cron/heartbeat/loop mode if you do not want unattended runs.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken connector command in the local config could run arbitrary shell commands during preflight or scheduled runs.
The static scan shows the runtime can execute shell command strings, which matches the skill's connector/exporter design but is a broad local execution surface if the config is untrusted.
const child = spawn(resolveShellCommand(), ['-c', command], {Review data/openclaw-growth-engineer/config.json before running, keep connector commands simple and trusted, and avoid running configs supplied by others.
If you enable GitHub write access, the skill may create issues or draft PRs without asking on every run.
The skill can create GitHub artifacts automatically when configured with write access. This is disclosed and purpose-aligned, but it can mutate a repo's issue tracker or PR list.
then create a GitHub issue or implementation PR automatically when GitHub API write access is configured
Use read-only GitHub access for analysis-only mode, and enable issue or PR write scopes only when you explicitly want automatic artifact creation.
Tokens can expose private repo, analytics, billing, crash, or store data, and write-scoped GitHub tokens can create repo artifacts.
The skill may use GitHub and provider credentials, including optional write scopes. The same file documents least-privilege guidance, so this is sensitive but disclosed.
`GITHUB_TOKEN` | Repo/code access for analysis; optional GitHub issue/PR creation ... Issue creation: add `Issues: Read/Write`. PR creation: add `Pull requests: Read/Write` and `Contents: Read/Write`
Use fine-grained, least-privilege tokens; prefer read-only scopes unless you want automatic issues or PRs; do not paste secrets into chat.
A later skill update or preview package change could alter behavior after the original install review.
During bootstrap, the script can force-update the installed skill without an interactive prompt. This is visible in the artifact and appears intended to keep the runtime current, but it means setup may pull newer code than the reviewed package.
(cd "${WORKSPACE}" && clawhub --no-input --dir skills update "${skill_slug}" --force) || trueRun setup only from trusted sources, consider pinning versions for production, and set the documented disable/skip update environment variables if you do not want bootstrap self-updates.
Sensitive product or business summaries may persist locally and may be reused by the agent or forwarded to configured destinations.
The configuration writes growth-run summaries into persistent local chat/outbox files. These summaries may contain business metrics, crash details, feedback themes, or repo context.
"markdownPath": ".openclaw/chat/growth-summary.md", "jsonPath": ".openclaw/chat/growth-summary.json"
Review generated summaries before sharing, keep secrets out of outputs, and disable chat/GitHub delivery paths if the data should remain local.
Once configured, the skill may continue running health checks and growth runs on a schedule.
The example configuration enables a recurring OpenClaw cron schedule. This is disclosed scheduling behavior, not hidden persistence, but it can keep the skill running unattended.
"openclawCron": { "enabled": true, "mode": "main", "schedule": "*/30 * * * *"Enable cron, HEARTBEAT, or loop mode only if you want recurring automation, and know how to list and remove the OpenClaw cron/heartbeat job.