ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw venture capitalist

v1.0.3

OpenClaw 风险投资分析助手 - 帮助投资者快速审阅商业计划书和路演材料,自动生成投资分析报告和演示文稿 | Help investors quickly review business plans and pitch decks, automatically generate investment ana...

0· 78·0 current·0 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (VC investment analysis) matches the manifest, SKILL.md, and index.js: tools call ZhenCap endpoints for market sizing, competitor analysis, valuation, and risk scoring. The optional ZHENCAP_API_KEY and API URL are consistent with a cloud API client. The migration from a prior local v1.0.0 to a cloud v2.x is documented in multiple files.
Instruction Scope
SKILL.md and README clearly document what parameters are sent (industry, company names, revenue, growth rates, etc.) and explicitly state that full local files are not transmitted (the analyze_bp tool was removed). The one user-impact item: v2 is cloud-only (no local document parsing), which is repeatedly documented but could surprise users expecting fully local processing — users with sensitive BP content should avoid using the cloud tools or stay on v1.0.0.
Install Mechanism
This is essentially instruction-only with a small Node.js module (index.js) and a normal npm dependency (axios). There is no ad-hoc external download URL or archive extraction recorded. No install spec means lower install risk; runtime will create an axios HTTP client to the declared apiEndpoint.
Credentials
No required environment variables are declared in registry metadata; the skill accepts an optional ZHENCAP_API_KEY and ZHENCAP_API_URL, which match the paid-tier/auth model described in docs. The optional API key is reasonable for a cloud API client and the free tier behavior (IP/User-Agent based quota) is documented.
Persistence & Privilege
No elevated privileges requested: always:false, no required config paths, no binaries, and the skill does not modify other skills or system-wide settings. It only constructs an HTTP client and issues POSTs to the vendor API.
Scan Findings in Context
[ENV_API_KEY_USAGE] expected: index.js reads process.env.ZHENCAP_API_KEY and conditionally sets an Authorization header. This is expected for an optional paid API key.
[API_ENDPOINT_USAGE] expected: index.js posts to https://www.zhencap.com/api/v1 (default) or to ZHENCAP_API_URL. Expected for a cloud API client.
[ANALYZE_BP_REMOVAL] expected: The repository includes migration notes and changelogs describing removal of analyze_bp to avoid sending full business-plan text; SKILL.md and manifest no longer include that tool. This removal aligns with the stated privacy claims.
[PRE_SCAN_INJECTION] expected: No pre-scan injection signals were detected in the package metadata provided.
Assessment
This skill is coherent: it is a small Node.js client that sends market/financial query parameters to a ZhenCap API and supports an optional API key. Before installing: 1) Confirm you are comfortable with cloud-based processing (v2 no longer does local file parsing); if you must keep data local, continue using v1.0.0. 2) Do not upload or paste proprietary business-plan PDFs or other sensitive documents into the skill — the vendor explicitly removed the BP-analysis tool for now. 3) Verify the vendor (www.zhencap.com) privacy page and contact addresses (privacy@zhencap.com, security@zhencap.com) — several files reference those pages but some vendor action items suggest parts may still be pending. 4) If using the free tier, expect IP/User-Agent-based quota tracking (documented); treat this as identifying telemetry. 5) If you require stronger assurances (audit, SOC2, DPA), request evidence from the vendor before sending sensitive data. Overall the package is internally consistent, but review and verify vendor privacy/security claims if you plan to send confidential info.
index.js:8
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97562pf60pdcfznz76j6907ts841x26

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments