Back to skill
Skillv1.0.1
ClawScan security
Competitor Finder Adarsh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 7, 2026, 1:13 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's documented runtime clearly requires API credentials (SerpAPI, DataForSEO, OpenAI) and logs brand/domain data, but the registry metadata declares no required environment variables — an incoherence that should be resolved before trusting or installing the skill.
- Guidance
- Do not install or enable this skill until the manifest and metadata are corrected and you understand what credentials it needs. Specific actions to take before use: - Ask the skill publisher to update registry metadata to explicitly list the required environment variables (SERPAPI_KEY, DATAFORSEO_LOGIN, DATAFORSEO_PASSWORD, OPENAI_API_KEY) and a primary credential. - Only provide dedicated, least-privileged API keys (not shared or root keys), and enable billing/usage alerts to detect unexpected calls. - Be aware that the skill will send brandName and optional domain to third-party APIs (SerpAPI, DataForSEO, OpenAI). If that data is sensitive, do not use those services or sanitize inputs. - Confirm logging practices: errors include brandName/domain in logs — ensure logs are stored securely and redacted if needed. - Request source code or an implementation (not just SKILL.md) before trusting the skill; with no code to review, you have to trust the publisher. - If you proceed, run the skill in a constrained environment, rotate keys after testing, and monitor network activity and billing for unexpected usage.
Review Dimensions
- Purpose & Capability
- concernThe described purpose (finding competitors via SerpAPI/DataForSEO with an OpenAI fallback) is coherent with the implementation steps in SKILL.md, but the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly requires SERPAPI_KEY, DATAFORSEO_LOGIN/DATAFORSEO_PASSWORD, and OPENAI_API_KEY. That mismatch is unexpected and disproportionate to the manifest.
- Instruction Scope
- concernSKILL.md instructs only API calls and result parsing (SerpAPI, DataForSEO, OpenAI) and standard logging, which is within the stated scope. However the instructions reference environment variables (process.env.SERPAPI_KEY, DATAFORSEO_*, OPENAI_API_KEY) that are not declared in the skill metadata; instructions also log brandName and domain in error messages, so sensitive inputs will be recorded and potentially appear in logs or telemetry.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. That lowers install-time risk.
- Credentials
- concernRequesting API keys for SerpAPI, DataForSEO, and OpenAI is proportionate to the task. The problem is the registry declares no required env vars/primary credential despite the SKILL.md requiring multiple service credentials; the manifest should explicitly list these so users know what secrets will be needed. Also, the skill will send brand names/domains to external services which may have privacy/billing implications.
- Persistence & Privilege
- okThe skill does not request permanent presence (always: false) and does not attempt to modify other skills or system-wide configs. It relies on external APIs at runtime but does not request elevated agent privileges.