ClawHub

Due Diligence Analyst

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward LLM-based due-diligence helper, with notes to verify its source and avoid over-relying on AI-generated investment analysis.

Before installing, verify the maintainer/source because the package metadata contains placeholders. When using it, avoid entering confidential deal data unless your LLM/provider policy allows it, and treat all reports as preliminary guidance that must be independently verified.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

A user may have less assurance about who maintains the skill or whether the advertised repository is the intended source.

Why it was flagged

The package uses placeholder author and repository values, which weakens provenance clarity even though no automatic remote execution is shown.

Skill content
"author": { "name": "Your Name", "email": "your.email@example.com" }, "repository": { "url": "https://github.com/yourusername/openclaw-due-diligence-analyst.git" }
Recommendation

Install only from a trusted registry or verified repository, and confirm the maintainer/source before use.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Confidential due-diligence details entered by the user may be processed by the configured OpenClaw/Claude LLM provider.

Why it was flagged

User-provided prompts are sent to the platform LLM, which is purpose-aligned and disclosed, but may include sensitive deal or company information.

Skill content
const response = await context.llm.chat({ ... messages: [ { role: 'user', content: message } ] });
Recommendation

Avoid submitting non-public or regulated information unless the configured LLM provider and workspace policies are acceptable for that data.

#ASI09: Human-Agent Trust Exploitation
Low
What this means

Users could give too much weight to AI-generated investment analysis if they overlook the stated limitations.

Why it was flagged

The skill produces investment-style DD reports and recommendations, which could encourage over-reliance; the artifacts also include disclaimers and verification guidance, keeping this as a note.

Skill content
**Generate professional DD reports in minutes instead of weeks.**
Recommendation

Treat outputs as preliminary screening only and verify key facts through official sources and qualified professionals.