ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AfrexAI Competitor Monitor

v1.0.0

Tracks and analyzes competitor moves — pricing changes, feature launches, hiring, and positioning shifts

0· 851·2 current·2 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the SKILL.md: it instructs the agent to monitor pricing, features, hiring, SEO, funding, reviews, and social signals. The skill requests no binaries, environment variables, or credentials that would be out of scope for competitor monitoring.
Instruction Scope
Instructions are high-level and only ask the agent to 'research their current state' and produce reports. That open-ended phrasing grants broad discretion about which sources to consult (public web, social, job boards, paid services), which could lead to unintended data access if not constrained, but the file does not explicitly instruct reading private files or exfiltrating credentials.
Install Mechanism
This is an instruction-only skill with no install spec or code to fetch or execute. That minimizes installation risk. Note: the registry metadata shows an unknown source and no homepage, so provenance is limited — low technical risk here but less transparency about the publisher.
Credentials
The skill declares no required environment variables, credentials, or config paths. It does reference other skills (clawhub install <...>) and an external paid context-pack URL, which would expand capability if the user follows those links, but the skill itself does not request secrets or unrelated credentials.
Persistence & Privilege
Flags are default (always:false, user-invocable:true, model invocation allowed). The skill does not request permanent presence or system-wide changes.
Assessment
This skill appears coherent and low-risk because it only contains high-level instructions and asks for no credentials. Before installing, consider: 1) provenance — the skill has no homepage/source listed; if that matters to you, request publisher details. 2) scope controls — the instructions are vague about which sources to use; decide and restrict allowed sources (public websites only, no internal repos or private systems). 3) third-party expansions — it suggests installing other skills and links to a paid context pack; review those separately for privacy/charges. 4) autonomy — if you prefer tighter control, use it via user-invocable only or review agent logs for any automated runs. 5) legal/ethical scraping — ensure monitoring actions comply with terms of service and privacy laws. If you want stronger assurance, ask the publisher for a homepage, a README with source references, or a whitelist of allowed data sources before enabling autonomous runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xda2ydqy8vhhjaahk3kq1181340s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments