Competitor Watch
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a user-configured local competitor-monitoring helper with no evidence of data theft, but it uses scheduled shell scripts and includes placeholder fetch/alert behavior that users should verify.
Before installing, verify that jq is installed, review the scripts, run check.sh in dry-run mode, and confirm whether real web fetching and alerts are implemented. If you schedule it with cron or a heartbeat, keep the frequency reasonable and remember that stored diffs and reports should be treated as untrusted competitor content.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user may think real competitor pages are being monitored when the script is actually generating placeholder/random content.
The advertised monitoring flow is currently represented by simulated content rather than an actual web fetch, which could create false confidence or bogus change data if used as-is.
# SIMULATED: In a real environment, you'd capture the output of the clawd tool call ... new_content="Real content for $page_url at $(date)\n$(head -c 100 /dev/urandom | base64)"
Run tests first and verify that real web fetching and real alert delivery are implemented before relying on the skill for competitive monitoring.
Installation or first use may fail unless jq and normal shell utilities are already available.
The scripts depend on jq even though the registry metadata lists no required binaries, so setup requirements are under-declared.
if ! command -v jq &> /dev/null; then
echo "Error: jq is not installed. Please install it to manage config."Install jq from a trusted package source and treat the registry dependency metadata as incomplete.
If scheduled, the skill will continue running checks and writing local data until the user disables the schedule.
The skill encourages recurring background execution, but it is disclosed and user-directed rather than hidden.
Set up cron or heartbeat: Run `check.sh` every 30-60 minutes
Only add a cron or heartbeat schedule intentionally, choose a reasonable frequency, and document how to disable it.
A competitor page could contain misleading or prompt-like text that later appears in a report or agent context.
Fetched page differences are stored in change logs and can later be surfaced in reports, so untrusted webpage content may persist as context.
raw_diff: $diff
Treat snapshots, diffs, and reports as untrusted evidence, not as instructions for the agent to follow.
Misconfigured competitor URLs or overly frequent schedules could create unwanted traffic or collect irrelevant web content.
The intended monitoring design uses web-fetching against user-configured URLs, which is expected for this skill but should stay bounded to approved targets.
fetch_command="clawd web_fetch --url \"$page_url\" --extractMode text"
Review the configured URLs, keep rate limits conservative, and monitor only sites you are comfortable checking automatically.