ClawHub

Competitor Finder Adarsh

v1.0.1

Finds 3-5 competitors for a brand by querying SerpAPI, then DataForSEO, and finally OpenAI fallback if needed, returning names, websites, and reasons.

0· 261·1 current·1 all-time
byAdarsh More@adarshvmore·duplicate of @adarshvmore/competitor-finder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The described purpose (finding competitors via SerpAPI/DataForSEO with an OpenAI fallback) is coherent with the implementation steps in SKILL.md, but the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly requires SERPAPI_KEY, DATAFORSEO_LOGIN/DATAFORSEO_PASSWORD, and OPENAI_API_KEY. That mismatch is unexpected and disproportionate to the manifest.
!
Instruction Scope
SKILL.md instructs only API calls and result parsing (SerpAPI, DataForSEO, OpenAI) and standard logging, which is within the stated scope. However the instructions reference environment variables (process.env.SERPAPI_KEY, DATAFORSEO_*, OPENAI_API_KEY) that are not declared in the skill metadata; instructions also log brandName and domain in error messages, so sensitive inputs will be recorded and potentially appear in logs or telemetry.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. That lowers install-time risk.
!
Credentials
Requesting API keys for SerpAPI, DataForSEO, and OpenAI is proportionate to the task. The problem is the registry declares no required env vars/primary credential despite the SKILL.md requiring multiple service credentials; the manifest should explicitly list these so users know what secrets will be needed. Also, the skill will send brand names/domains to external services which may have privacy/billing implications.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not attempt to modify other skills or system-wide configs. It relies on external APIs at runtime but does not request elevated agent privileges.
What to consider before installing
Do not install or enable this skill until the manifest and metadata are corrected and you understand what credentials it needs. Specific actions to take before use: - Ask the skill publisher to update registry metadata to explicitly list the required environment variables (SERPAPI_KEY, DATAFORSEO_LOGIN, DATAFORSEO_PASSWORD, OPENAI_API_KEY) and a primary credential. - Only provide dedicated, least-privileged API keys (not shared or root keys), and enable billing/usage alerts to detect unexpected calls. - Be aware that the skill will send brandName and optional domain to third-party APIs (SerpAPI, DataForSEO, OpenAI). If that data is sensitive, do not use those services or sanitize inputs. - Confirm logging practices: errors include brandName/domain in logs — ensure logs are stored securely and redacted if needed. - Request source code or an implementation (not just SKILL.md) before trusting the skill; with no code to review, you have to trust the publisher. - If you proceed, run the skill in a constrained environment, rotate keys after testing, and monitor network activity and billing for unexpected usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk978990j6m0x6aj39n37ecgmyn82en5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments