ClawHub

Competitor Finder

v1.0.0

Identifies 3-5 competitors for a given brand using SerpAPI, DataForSEO, or OpenAI fallback, returning names, websites, and optional reasons for competition.

0· 217·0 current·1 all-time
byAdarsh More@adarshvmore
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (finding competitors via SerpAPI/DataForSEO with an OpenAI fallback) matches the methods described in SKILL.md. However, the registry metadata lists no required environment variables while SKILL.md clearly depends on SERPAPI_KEY, DATAFORSEO_LOGIN, DATAFORSEO_PASSWORD, and OPENAI_API_KEY. That metadata omission is an incoherence: someone implementing this feature legitimately needs those credentials.
!
Instruction Scope
SKILL.md instructs the agent to call external APIs (SerpAPI, DataForSEO, and OpenAI) and to log brandName and domain on errors. Sending brand/domain to third-party APIs is expected for this task, but it is data exfiltration to external endpoints and should be explicitly declared in metadata and user documentation. The instructions do not request any unrelated local files or system credentials.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk installation behaviour. Nothing is written to disk by the skill itself per the provided materials.
!
Credentials
The skill requires multiple service credentials (SERPAPI_KEY, DATAFORSEO_LOGIN/PASSWORD, OPENAI_API_KEY) which are proportionate to the described multi-backend approach, but the registry metadata declares no required env vars. The missing declarations are a security/privacy and transparency issue. Also note that logging brandName/domain could expose sensitive or proprietary brand queries in logs.
Persistence & Privilege
No elevated persistence requested: always is false, user-invocable and autonomous invocation are default. The skill does not request modifying other skills or system-wide config.
What to consider before installing
This skill appears to do what it says (use search APIs and an OpenAI fallback), but the registry metadata does not list the environment variables the instructions require. Before installing/providing secrets: (1) Confirm the registry metadata is updated to list SERPAPI_KEY, DATAFORSEO_LOGIN, DATAFORSEO_PASSWORD, and OPENAI_API_KEY so you know what will be sent to external services. (2) Decide whether you are comfortable sending brand names/domains to third-party APIs (these calls will transmit that data). (3) Be aware of costs/rate limits for SerpAPI/DataForSEO/OpenAI. (4) If you don't want model calls, ask the maintainer to remove or gate the OpenAI fallback. (5) Prefer providing a single trusted API credential (or scoped credentials) rather than multiple long-lived secrets. If the maintainer cannot explain the metadata omission, treat the package as untrusted until corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk971sdermavkkdtnv9q4gbn1y582bx0n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments