ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

strategic-analyst-skill

v1.0.1

Provides McKinsey-style industry and market analysis using classic frameworks to support strategic, investment, and market entry decisions with data-backed r...

0· 61·0 current·0 all-time
byyamaz@yamaz49
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's files and runtime instructions align with its stated purpose (framework templates, data source guides, data collection, report generation, quality gate). However, the SKILL.md and skill.yaml expect integration with an external MCP (Tavily) and native web/browser tools for deep research; that dependency is reasonable for the described functionality but is not reflected in the registry's declared required env vars/credentials (see environment_proportionality).
Instruction Scope
Runtime instructions mandate aggressive real-time web search, fetching/processing PDFs and images (OCR), use of agent-browser/WebFetch/summarize, and forced creation of data_collection.md containing search queries, tools used, source URLs and raw snippets. This stays within the skill's analytical purpose, but the forced logging of raw snippets and URLs increases data-handling sensitivity (may capture private links or PII if used against private/internal targets). The instructions forbid using non-public information, but they do not state where data_collection.md is stored or who can access it.
Install Mechanism
There is no external install script or remote download; the package is instruction-and-code bundled. No installer URLs or shorteners are used. That reduces supply-chain risk. Code files (data_collector.py, report_generator.py, quality_gate.py) are included; you should inspect them before running, but the install mechanism itself does not pull arbitrary external binaries.
!
Credentials
The SKILL.md and agent_instructions clearly require a Tavily API key (TAVILY_API_KEY in MCP settings.json) for deep research, yet the registry metadata lists no required env vars or primary credential. This is an explicit metadata/instruction mismatch: the skill will ask the user to add credentials to settings.json but the skill manifest does not declare that requirement. That omission makes it harder for users to discover the needed secret and for automated auditing to flag the dependency. Aside from Tavily, no other unrelated credentials are requested.
Persistence & Privilege
The skill is not force-installed (always: false) and uses normal autonomous invocation defaults. It requests automatic invocation of dependent skills (auto_invoke_skills) to perform web fetches, which is coherent with its purpose. The package does not request system-wide or cross-skill configuration changes in the manifest; the only notable persistence behavior is the forced generation/saving of data_collection.md (an intermediate artifact), but the destination/storage/access controls for that artifact are not specified and should be confirmed.
What to consider before installing
This skill largely does what it says: framework-driven, web-backed industry analysis with templates and quality checks. Before installing or using it: - Verify and update manifest: ask the publisher/registry to declare the Tavily credential (TAVILY_API_KEY) in the skill metadata so automated audits and admins can see the required secret. - Inspect bundled code: review tools/data_collector.py, tools/report_generator.py, and tools/quality_gate.py for any network endpoints, telemetry, or unexpected outbound connections before running them. - Confirm where data_collection.md is saved and who can access it. The skill forces saving raw search queries, source URLs and snippets — ensure these logs are stored only in a trusted workspace and are not uploaded to external services. - Be cautious with sensitive inputs: avoid running the skill against private/internal URLs or pasting confidential business data until you confirm storage and access controls. - Test with non-sensitive queries first to observe what external tools are invoked (agent-browser, WebFetch, summarize, tavily) and whether any unexpected external hosts are contacted (inspect network logs). - If you must provide a Tavily API key, scope it to least privilege and monitor its usage. If possible, prefer a dedicated key instead of a high-privilege account key. If these points are acceptable and the code review shows no hidden endpoints, the skill can be used for its intended purpose. If the publisher cannot or will not update the manifest to declare the Tavily requirement, consider that a red flag and avoid providing credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979my6w8h55t10m7nc8y1x1px849w6k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments