Investor Relations Manager
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: investor-relations-manager Version: 1.0.0 The skill instructs the AI agent to perform high-risk operations, including cloning an external GitHub repository (ZhenRobotics/openclaw-investor-relations-manager), installing third-party npm dependencies, and executing local shell scripts (ir-cli.sh and script-to-video.sh). While these actions are plausibly required for the stated purpose of video generation using Remotion, the requirement to download and execute external code and store an OPENAI_API_KEY in a local .env file presents a significant attack surface and potential for supply chain exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The behavior of the runnable project depends on code and dependencies fetched from outside this artifact set.
The skill depends on an external GitHub repository and npm dependencies that are not included in the provided ClawHub package.
git clone https://github.com/ZhenRobotics/openclaw-investor-relations-manager.git ~/openclaw-investor-relations-manager cd ~/openclaw-investor-relations-manager # Install dependencies npm install
Review the GitHub repository and dependency files before use, pin to a trusted commit or release, and install in an isolated project directory.
Malformed or adversarial input could affect local shell execution if the agent or CLI does not pass arguments safely.
The skill tells the agent to run shell commands with user-supplied report text as an argument; this is central to the workflow but should be handled with safe quoting and user confirmation.
When user requests investor relations video generation, execute: cd ~/openclaw-investor-relations-manager && ./agents/ir-cli.sh generate "Q3 revenue grew 45% to $2.3B. Net profit increased 60% to $35M."
Confirm before running commands, avoid blindly interpolating raw text into shell strings, and prefer passing report content through a file or argument-safe execution method.
The external project can use the OpenAI account associated with the key and may incur API charges if misused.
The skill requires a user-provided OpenAI API key stored in a local .env file; this is expected for TTS/Whisper use but is still a credential.
echo 'OPENAI_API_KEY="sk-your-key-here"' > .env
Use a dedicated or restricted API key, keep the .env file private, monitor usage, and rotate the key if it may have been exposed.
Nonpublic financial or stakeholder-communication drafts could be sent to an external AI provider as part of video generation.
The workflow uses OpenAI provider APIs to process generated financial narration/audio, so financial update content may leave the local environment.
TTS Generation - Professional business voice ... Timestamp Extraction - OpenAI Whisper API for precise segmentation
Check organizational policy and provider data-handling terms before using confidential financial data; use public, approved, or redacted content when required.