Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Competitor Tracker
v1.0.0竞品价格、销量、评价、活动全方位监控。适合电商卖家、市场分析师、品牌运营。
⭐ 0· 86·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Declared requirements (python3, curl, requests, pandas) match a lightweight scraping + data analysis workflow. However, the skill promises continuous, cross‑platform monitoring (Taobao, JD, Pinduoduo, Amazon, Douyin, Xiaohongshu, etc.) and paid tiers with hourly updates without any scheduling/infrastructure, proxy, headless browser, or authentication guidance. For many listed platforms, reliable monitoring typically requires additional tooling (headless browsers, anti‑bot handling), proxies, or API credentials; none are requested or documented here.
Instruction Scope
The SKILL.md is high-level and user-facing (how to ask the skill) but contains no concrete runtime instructions for safe, compliant scraping (no rate limits, no credential handling, no proxy/anti‑bot guidance, no mention of respecting robots.txt or platform ToS). That vagueness gives the agent broad discretion to fetch pages from many third‑party sites which could lead to abusive scraping patterns or require credentials the skill doesn't request.
Install Mechanism
No install spec that writes arbitrary archives to disk; metadata lists pip installs for requests and pandas which is reasonable for an instruction-only skill. This is moderate risk (pip packages are normal) but the skill does not provide code — it only suggests dependencies, so behavior depends entirely on how the agent implements scraping.
Credentials
The skill requests no environment variables or credentials, which keeps its footprint small. However, because the advertised platforms often require logins or region‑specific access, the absence of any guidance or optional credential slots is an incoherence: either the skill expects unauthenticated scraping (fragile/likely to fail or trigger anti‑bot protections) or it implicitly expects operators to supply credentials/proxies outside the declared requirements.
Persistence & Privilege
always: false and no special privileges requested. The skill is user-invocable and can be invoked autonomously (platform default) but it does not request permanent presence or modify other skills/configs.
What to consider before installing
This skill appears to be a high‑level recipe for scraping and analyzing competitor pages rather than a self-contained monitored service. Before installing, consider: (1) how will hourly/real‑time monitoring actually run — do you need a scheduler or server? (2) many listed sites implement bot protections and/or require logins — you may need proxies, headless browsers (e.g., Puppeteer), or API access; the skill does not request or document these. (3) scraping can violate site ToS and may lead to IP blocks or account suspension; prefer official APIs where available. (4) avoid supplying account credentials unless you trust the implementation; if you plan to use credentials or third‑party proxies, require explicit fields in the skill manifest and audit where they are stored. If you still want to use it, ask the author for a concrete runtime plan (how scraping is performed, rate limits, proxy/auth handling, and legal/compliance guidance) or prefer an implementation that uses official platform APIs.Like a lobster shell, security has layers — review code before you run it.
latestvk970cae8q6a6rtm978m6t01rmh83hfp1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
👀 Clawdis
Binspython3, curl