ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Growth Engineer

v1.0.1

OpenClaw-first growth autopilot for mobile apps. Correlate analytics, crashes, billing, feedback, store signals, and repo context into implementation-ready G...

0· 68·1 current·1 all-time
by@wotaso-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and bundled code clearly require GitHub access (GITHUB_TOKEN) and optionally analytics/revenuecat/sentry tokens; however the registry metadata lists no required env vars or primary credential. That mismatch is an incoherence — a consumer might assume no secrets are needed when in fact a writable GitHub token is mandatory for issue/PR creation. Otherwise the requested capabilities (reading repo, creating GH issues/PRs, consuming analytics/sentry/revenuecat summaries) align with the described purpose.
Instruction Scope
Runtime instructions and scripts perform repository scanning, run local commands (analyticscli), launch node scripts, open an optional local feedback HTTP API, and make network calls to GitHub/RevenueCat/Sentry for preflight checks. These behaviors are consistent with the documented purpose, but they include reading files in the workspace and home-based skill locations (e.g. ~/.openclaw, ~/.codex) and executing shell commands — review those accesses if you need stricter surface limits.
Install Mechanism
There is no external installer or remote download. The package is instruction+code-only and provides a bootstrap script that copies bundled scripts/data into the workspace. No external archives or URL-based installs are used, so install risk is limited to the provided files.
!
Credentials
The skill legitimately needs GITHUB_TOKEN for its core functionality and documents recommended tokens (ANALYTICSCLI_READONLY_TOKEN, REVENUECAT_API_KEY, SENTRY_AUTH_TOKEN). However the registry metadata does not declare these env vars, which is misleading. The number and type of secrets requested are proportionate to the skill's purpose, but you must ensure tokens are least-privilege and not committed.
Persistence & Privilege
always:false (not forced into all agents). The skill writes runtime scripts/data into your workspace via the bootstrap script and can create files/branches in the target repo (issues/PRs) when authorized. It does not request system-wide privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) — combine that with required GH token if you plan automated runs.
What to consider before installing
Key things to check before installing/running: - The skill requires a GitHub token (GITHUB_TOKEN) with the scopes described in SKILL.md; the registry metadata does not list this — do not assume no credentials are needed. - Use a least-privilege token: grant only the minimal issue/contents or pull_request scopes required for your chosen mode, and prefer repository-scoped tokens where possible. - Inspect the bundled scripts (especially scripts/*.{mjs,py,sh}) in a safe environment — they run shell commands, read workspace and home paths, and make network calls to GitHub, RevenueCat, Sentry, and optional local feedback API. - Run the preflight with --test-connections in an isolated workspace first to see what external hosts are contacted and which env vars are required. - The bootstrap copies files into your repo workspace; ensure you are comfortable with those files being written and with the skill creating branches/PRs if enabled. - Do not commit secrets into config.json or proposal/issue bodies (the skill documents this best practice). If you have low tolerance for autonomous actions, do not enable automated issue/PR creation and run the tool manually.
scripts/openclaw-growth-preflight.mjs:89
Shell command execution detected (child_process).
scripts/openclaw-growth-runner.mjs:132
Shell command execution detected (child_process).
scripts/openclaw-growth-start.mjs:74
Shell command execution detected (child_process).
scripts/openclaw-growth-engineer.mjs:1050
Environment variable access combined with network send.
scripts/openclaw-growth-preflight.mjs:427
Environment variable access combined with network send.
scripts/openclaw-growth-start.mjs:148
Environment variable access combined with network send.
!
scripts/openclaw-growth-engineer.mjs:240
File read combined with network send (possible exfiltration).
!
scripts/openclaw-growth-preflight.mjs:134
File read combined with network send (possible exfiltration).
!
scripts/openclaw-growth-start.mjs:125
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5ef3b1m8pw0ds6ryd0ck29842nfm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis

SKILL.md

OpenClaw Growth Engineer

Use This Skill When

  • you want OpenClaw to turn product signals into execution-ready backlog work
  • you need one mobile-first workflow across analytics, RevenueCat, Sentry/GlitchTip, ASC CLI, app reviews, support feedback, and repo context
  • you want GitHub repo access to be mandatory and used as part of prioritization
  • you want OpenClaw to create either GitHub issues or draft pull requests with proposal files

Product Focus

  • Primary focus: mobile apps
  • Works well with: React Native, Expo, native iOS/Android, mobile growth loops, paywalls, store reviews, crashes, release readiness
  • Still valid for SaaS/web products when your connectors export the same summary JSON shape

Mandatory Baseline

Before autopilot runs, these are non-negotiable:

  • analyticscli CLI available
  • analyticscli-cli skill installed/fetched
  • target repo checkout readable via project.repoRoot
  • GitHub repo known (project.githubRepo)
  • GITHUB_TOKEN present

GitHub is mandatory for this skill. It is not just an optional export sink. The repo is part of the analysis surface for file/module mapping and the delivery target for issues or draft PRs.

GitHub Modes

The skill supports both delivery modes:

  • actions.mode = "issue": create implementation-ready GitHub issues
  • actions.mode = "pull_request": create draft PRs that add .openclaw/proposals/...md proposal files to the repo

Use issue mode when:

  • you want backlog-first planning
  • engineering should pick up and implement later

Use pull-request mode when:

  • you want every proposal anchored in a branch and reviewable artifact
  • you want the requested changes written down inside the repository immediately

Connector Model

Built-in channels:

  • analytics
  • revenuecat
  • sentry
  • feedback

Additional connectors:

  • configure sources.extra[]
  • each extra connector can use mode=file or mode=command
  • preferred output is shared signals[]
  • crash-style tools may use issues[]
  • feedback-style tools may use items[]

Mobile-focused examples:

  • glitchtip
  • firebase-crashlytics
  • asc-cli
  • app-store-reviews
  • play-console
  • stripe
  • adapty
  • superwall

Feedback Rules

  • Prefer tenant-owned backend/proxy submission for mobile apps
  • Do not put privileged feedback secrets directly into shipped app binaries unless they are intentionally public and app-scoped
  • Always include a stable locationId for feedback collection points
  • Use human-meaningful, code-stable location ids such as onboarding/paywall, settings/restore, profile/delete_account
  • The SDK should track lightweight feedback submission events without sending raw feedback text into analytics events

Startup Protocol

When the user says "start", "run", or "kick off" the skill:

  1. If scripts/openclaw-growth-start.mjs is missing at workspace root but the skill is installed under skills/openclaw-growth-engineer/, run:
    • bash skills/openclaw-growth-engineer/scripts/bootstrap-openclaw-workspace.sh
  2. Run portable checks first:
    • command -v analyticscli
    • analyticscli projects list
    • detect project.githubRepo from git remote when possible
    • verify GITHUB_TOKEN
  3. Run preflight:
    • node scripts/openclaw-growth-preflight.mjs --config data/openclaw-growth-engineer/config.json --test-connections
  4. If preflight fails, return only a concrete blocker checklist
  5. If preflight passes, run:
    • node scripts/openclaw-growth-runner.mjs --config data/openclaw-growth-engineer/config.json

Do not block startup merely because local helper files are missing. Bootstrap the workspace first when the skill was installed under skills/openclaw-growth-engineer/.

Output Rules

  • max 3-5 proposals per pass
  • each proposal must include measurable impact and file/module hypotheses
  • each proposal must say what should change
  • low-confidence findings must be marked explicitly
  • recommendations without GitHub repo context are incomplete

Required Secrets

  • GITHUB_TOKEN
    • required
    • issue mode: Issues: Read/Write, Contents: Read
    • pull-request mode: Pull requests: Read/Write, Contents: Read/Write
  • ANALYTICSCLI_READONLY_TOKEN
    • recommended
  • REVENUECAT_API_KEY
    • recommended for RevenueCat command/API mode
  • SENTRY_AUTH_TOKEN
    • recommended for Sentry command/API mode
  • optional connector-specific secretEnv per sources.extra[]

References

Files

20 total
Select a file
Select a file to preview.

Comments

Loading comments…