Skillv1.0.0

ClawScan security

competitive-teardown · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:45 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a competitive-intelligence tool; nothing in the package indicates it is trying to do something other than collect and synthesize publicly available signals—but there are a few small inconsistencies you should review before running it.
Guidance: This package looks like a legitimate competitive-intelligence helper, but review a few things before using it: 1) The SKILL.md mentions 'full executable scripts' for data collection but the included data-collection reference is descriptive rather than containing fetch/scrape scripts—expect to supply your own collectors or API keys. 2) If you intend to pull data from Twitter/X, LinkedIn, App Stores, or other APIs, ensure you have appropriate API keys and that use complies with each service's terms of service; do not feed private/internal documents or unrelated credentials to the agent. 3) Inspect the included Python script (scripts/competitive_matrix_builder.py) before running; the repository shows the script truncated at the end (an apparent cut in the main() arg parsing) so verify the script is complete and safe to execute. 4) If you want the agent to fetch data autonomously, restrict which credentials are available to the agent and log/examine network calls during initial runs. If you need higher assurance, have a developer do a quick code review of the script and any data-collection code you plan to run.

Review Dimensions

Purpose & Capability: okThe name/description (competitive teardown) matches the included templates, rubric, and a local Python matrix-builder script. Requested resources are minimal (no env vars, no binaries). The references discuss the exact data sources the skill claims to use (pricing pages, app stores, job postings, SEO, social).
Instruction Scope: noteSKILL.md stays on-task: it instructs collecting public signals, applying a 12-dimension rubric, and filling templates. It references using APIs (iTunes, Twitter/X API v2, Reddit, LinkedIn) and promises 'full executable scripts' in the data-collection reference, but the packaged references are prose (no network-fetching scripts for each source). The guidance includes ethical/TOS cautions. Nothing instructs reading unrelated system files or exfiltrating secrets.
Install Mechanism: okNo install spec; instruction-only plus one local Python script. That is low-risk from an installation perspective because nothing is auto-downloaded or extracted.
Credentials: noteThe skill declares no required credentials or env vars, which is proportionate for the stated purpose. However, the instructions expect use of external APIs (Twitter/X, iTunes, LinkedIn, etc.) that will typically require API keys or scraping tools; the skill does not declare or manage those credentials—users or the agent environment will need to provide them. Confirm how you or your agent will supply API credentials and that you won't expose unrelated secrets.
Persistence & Privilege: okalways is false and model invocation is allowed (platform default). The skill does not request persistent system presence, modify other skills, or claim system-wide changes.