Risks & Mitigations (Validated)

Risk Matrix

                        LIKELIHOOD
                  Low        Medium       High
              ┌──────────┬──────────┬──────────┐
    High      │          │ R3       │ R1, R2   │
              │          │          │          │
I  ──────────┼──────────┼──────────┼──────────┤
M             │          │          │          │
P   Medium    │ R8       │ R6, R7   │ R4, R5   │
A             │          │          │          │
C  ──────────┼──────────┼──────────┼──────────┤
T             │          │          │          │
    Low       │ R10      │ R9       │          │
              │          │          │          │
              └──────────┴──────────┴──────────┘

Detailed Risk Analysis

R1: Snyk Dominates MCP Security

Likelihood: HIGH | Impact: HIGH | Priority: CRITICAL

Description: Snyk acquired Invariant Labs (creators of mcp-scan) and has $408M ARR with 5,000+ enterprise customers. They published the “7.1% of ClawHub skills leak credentials” research. They already have the enterprise distribution, scanning technology, and developer trust to own MCP security.

Why this is different from the prior “platform risk”: This isn’t hypothetical. Snyk has ALREADY entered the market with real products (Snyk agent-scan, Evo Agent Security Analyzer). They have more resources, more customers, and more credibility than Findable will have for years.

Mitigations:

Different product surface — Snyk scans and reports. Findable integrates scanning into discovery. Trust scores visible at search time, not deployment time. Snyk has never built a marketplace or discovery layer.
Cross-platform registry — Snyk focuses on enterprise security. Findable covers discovery + trust + governance as an integrated platform.
Open-source community — Snyk started open-source and moved upmarket. We can capture the developer-community niche they’re vacating.
Governance beyond scanning — Private registries, policy engine, approval workflows. Snyk doesn’t do skill governance; they scan code.

Honest assessment: If Snyk launches a full registry + discovery + governance product, our security positioning erodes significantly. We’d need to differentiate on cross-platform discovery and commerce.

R2: ClawHub / Platform Registries Build Everything

Likelihood: HIGH | Impact: HIGH | Priority: CRITICAL

Description: ClawHub is already integrated with OpenClaw’s installation pipeline. They could add security scanning, trust scores, and governance features themselves. Similarly, Anthropic could expand the official MCP registry beyond minimal metadata.

Mitigations:

Cross-platform neutrality — ClawHub is OpenClaw-only. Official MCP Registry is 518 servers. Neither covers the full ecosystem (MCP + SKILL.md + all registries).
Anthropic’s deliberate minimalism — Anthropic explicitly designed the MCP Registry as a “canonical feed” and donated MCP to Linux Foundation (AAIF). They’re signaling neutrality, not platform control.
Security crisis in ClawHub — ClawHavoc incident (341 malicious skills) and OpenClaw creator joining OpenAI (Feb 14, 2026) create uncertainty. ClawHub may not have the resources/focus to build enterprise-grade security.
Enterprise features — Platform registries rarely build enterprise governance (SSO, policy engines, compliance reports). It’s not their core competency.

Honest assessment: If ClawHub adds security scanning + trust scores + governance, AND achieves cross-platform coverage, Findable’s value prop narrows to commerce (which is premature).

R3: Security Breach / Trust Score Liability

Likelihood: MEDIUM | Impact: HIGH | Priority: HIGH

Description: If a skill we’ve scanned and rated with a high trust score turns out to be malicious, we face liability, reputational damage, and loss of the trust that IS our product.

Mitigations:

Clear ToS — Trust scores are informational, not guarantees. Standard liability limitations.
Multi-layered scanning — Static + semantic + dependency + permission mapping. No single point of failure.
Transparent methodology — Publish exactly how trust scores are calculated.
Bug bounty program — Incentivize responsible disclosure of scanner bypasses.
Continuous monitoring — Re-scan every 7 days. Alert on changes.
Cybersecurity insurance — $5M+ coverage.
Incident response playbook — Pre-written for security incidents.

R4: Developer Resistance to Paid Skills

Likelihood: HIGH | Impact: MEDIUM | Priority: HIGH

Description: Total paid-skill revenue across the entire ecosystem is <$100K/month. Open-source culture dominates. The only documented individual success is 21st.dev at ~$400/mo MRR.

Mitigations:

Don’t depend on commerce — Enterprise governance is the primary revenue model. Commerce is Phase 4 and conditional.
Free-first model — Never gate free skills. The marketplace is for ADDITIONAL value.
SaaS-connected skills — The commerce that works is B2B (Apify, Composio), not individual developer monetization. Focus on SaaS vendors when commerce launches.
Monitor leading indicators — Only build commerce when a paid MCP server hits $100K+ ARR.

R5: Vercel skills.sh Captures Discovery

Likelihood: HIGH | Impact: MEDIUM | Priority: HIGH

Description: Vercel launched skills.sh in January 2026: 57,000+ indexed skills, 110,000 installs in 4 days. Vercel has massive developer trust and distribution.

Mitigations:

Cross-platform — skills.sh is SKILL.md/Mastra-focused. Findable covers MCP + SKILL.md + future protocols.
Security gap — skills.sh has no security scanning, no trust scores. This is our core differentiator.
Enterprise gap — skills.sh has no enterprise features. No governance, no SSO, no audit logs.
If skills.sh adds security: Compete on depth (we have dedicated scanning vs. their bolt-on) and enterprise governance.

R6: Slow Enterprise Adoption

Likelihood: MEDIUM | Impact: MEDIUM | Priority: MEDIUM

Description: Enterprise sales cycles are 3-6+ months. 40% of agentic AI projects may be canceled by 2027 (Gartner). Enterprises may adopt agents slower than projected.

Mitigations:

PLG bottom-up motion — Free scanner creates usage within enterprises before we sell.
Security as accelerator — Our scanning actually ENABLES enterprise adoption by solving their biggest objection.
Don’t over-invest early — Enterprise governance starts at Month 8, not Month 1.
Target tech companies first — Shorter procurement cycles, already using AI agents.

R7: Composio Adds Public Discovery

Likelihood: MEDIUM | Impact: MEDIUM | Priority: MEDIUM

Description: Composio has $29M funding, $2M ARR, 200+ enterprise customers, and 100K+ developers. If they add a public discovery layer, they’d combine enterprise revenue + developer distribution.

Mitigations:

Different approach — Composio is a managed integration platform (they run the tools). Findable is a registry/discovery layer (we index and score, tools run wherever).
Cross-platform — Composio is platform-specific. Findable is protocol-neutral.
Open-source core — Composio is proprietary. Open-source scanner builds community moat.

R8: Regulatory / Legal Risks

Likelihood: LOW | Impact: MEDIUM | Priority: LOW

Description: New regulations around AI agents or digital marketplace rules could affect our business.

Mitigations:

Compliance-first — SOC2, GDPR from early stages.
Position as safety infrastructure — Regulators favor security scanning and governance tools.
Regulatory monitoring — Track AI regulation developments.

R9: MCP Ecosystem Growth Stalls

Likelihood: MEDIUM | Impact: LOW-MEDIUM | Priority: LOW

Description: 97M monthly SDK downloads could be CI/CD inflation. If real active users are much lower than assumed, or if MCP adoption plateaus, the TAM shrinks.

Mitigations:

Multi-protocol support — MCP + SKILL.md + future protocols. Not tied to one standard.
Enterprise governance is protocol-agnostic — Companies need governance regardless of protocol.
Watch quarterly SDK downloads — If growth stalls for 2+ quarters, re-evaluate.

R10: Macro Economic Downturn

Likelihood: LOW | Impact: MEDIUM | Priority: LOW

Description: Economic downturn could reduce VC funding and enterprise AI budgets.

Mitigations:

Capital efficiency — India engineering hub keeps burn low ($40-80K/month in Phase 1-2).
Counter-cyclical angle — Security and compliance tools see INCREASED demand during belt-tightening (risk management priority rises).
67% of enterprises will maintain AI spending even in recession (KPMG AI Pulse Survey).

Risk Monitoring Framework

Risk	Monitoring Signal	Check Frequency
R1: Snyk	Snyk blog, product launches, Invariant Labs updates	Weekly
R2: Platform registries	ClawHub/Anthropic announcements, API changes	Weekly
R3: Security breach	Bug bounty submissions, scanner bypass reports	Daily
R4: Commerce readiness	Paid skill revenue data, Apify/21st.dev metrics	Monthly
R5: Vercel skills.sh	skills.sh feature additions, adoption metrics	Weekly
R6: Enterprise adoption	Pipeline velocity, demo-to-close ratio	Monthly
R7: Composio	Product announcements, feature launches	Bi-weekly
R8: Regulatory	AI regulation trackers, legal counsel	Monthly
R9: MCP ecosystem	SDK downloads, new server counts, registry growth	Quarterly
R10: Macro economy	VC deal flow, enterprise budget surveys	Quarterly

NO-GO Conditions

If any of these occur, seriously reconsider the Findable thesis:

Snyk launches integrated registry + security + governance — Our value prop collapses
After 12 months, <500 monthly active users on discovery — No product-market fit
MCP ecosystem growth stalls (SDK downloads plateau for 2+ quarters) — TAM evaporates
Anthropic expands official registry to full marketplace — Platform wins
No enterprise pilot converts after 6 months of selling — Enterprise revenue thesis fails