Run an autoresearch-style growth loop for landing pages, onboarding, pricing, and experiment candidates. Collect or read analytics snapshots, preserve produc...
Security Analysis
high confidenceThe skill's required tools, scripts, and instructions match its stated purpose (running an autoresearch growth loop and collecting analytics snapshots); it reads/writes local run files and uses npx to invoke the Agent Analytics CLI, which is coherent with the description.
Name/description (autoresearch, analytics-driven variant generation) align with the included scripts and SKILL.md. The skill requires npx (used to run @agent-analytics/cli) which is appropriate for collecting analytics snapshots; no unrelated credentials, binaries, or config paths are requested.
Runtime instructions are scoped to reading/writing local run files (brief.md, results.tsv, final_variants.md, data snapshots) and generating variants. The SKILL.md explicitly forbids editing production code without human approval. It instructs use of analytics data sources (Agent Analytics CLI, CSV, SQL, screenshots) only for variant generation and judging—no hidden file reads or unspecified exfiltration steps are present.
There is no formal install spec (instruction-only), which keeps risk low. The included scripts call npx --yes to fetch and run @agent-analytics/cli at runtime; this will download and execute code from npm when collecting snapshots. That is expected for this purpose but carries the usual moderate risk of running third-party packages fetched at runtime—review the CLI package if you need stronger assurance.
The skill declares no required environment variables or credentials. The only runtime dependency is the npx binary. Example shell snippets use local variables (PROJECT_SLUG, PRIMARY_EVENT, etc.) but these are inputs for the analytics commands, not hidden credential requests.
always is false and the skill does not request system-wide changes. It reads and writes files only within the run directory it creates/uses and does not modify other skills or global agent settings. The SKILL.md enforces a review-before-implement policy for any outer-loop actions.
Guidance
This skill appears to do what it claims: create a local run folder, collect analytics snapshots (by running @agent-analytics/cli via npx), and produce reviewable experiment variants. Before installing or running: (1) be aware that npx --yes will download and execute a package from npm at runtime—review @agent-analytics/cli (source or package metadata) if you require assurance; (2) the scripts write files under a run directory (brief.md, results.tsv, data/…), so run them in a sandbox or repository you control; (3) be careful what analytics data you include—avoid copying PII into snapshots; (4) the skill will not change production systems unless you explicitly approve the outer-loop implementation, but always verify any follow-up commands before consenting to automated implementation. If you want more assurance, ask the author for the CLI source link or run the snapshot commands manually first.
Latest Release
v1.0.6
Include the autoresearch results header template in ClawHub installs.
More by @dannyshmueli
Published by @dannyshmueli on ClawHub
