ClawHub

Rivalwatch

Security checks across malware telemetry and agentic risk

Overview

Rivalwatch is a disclosed local competitor-intelligence logging tool, with no evidence of network access, credential use, destructive actions, or hidden execution.

Install only if you want a local Bash-based note tracker for competitor intelligence. Avoid entering secrets or confidential business material unless local storage under ~/.local/share/rivalwatch is acceptable, and verify export/status behavior because the script has duplicate command branches that may not match the documentation exactly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file claims to provide SWOT and market-positioning analysis, but the actual documented functionality is a generic local logging toolkit. This deceptive or misleading packaging can cause users to route sensitive competitor intelligence through a tool they believe performs analysis only, when it actually accumulates persistent records, broadening confidentiality and compliance risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script materially does not implement competitor analysis; instead it exposes a generic local data collection and utility interface. That mismatch is dangerous because users may trust the declared skill purpose while the code silently stores arbitrary inputs and offers unrelated operations, creating scope-creep and hidden data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script creates a persistent local data directory and history log despite the stated skill being competitor analysis, with no demonstrated need for retention. Unnecessary persistence increases the chance that sensitive business inputs, research notes, or proprietary market data remain on disk and are later exposed through local access, backups, or exports.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The broad command surface includes generic operations unrelated to competitor analysis, which expands the skill's capabilities beyond user expectations and declared scope. An unnecessarily broad interface increases abuse potential, complicates review, and makes it easier to disguise data collection or secondary behaviors inside a seemingly specialized skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The inline description as a generic utility toolkit contradicts the manifest's competitor-analysis framing, indicating the package may be mislabeled or repurposed. This is dangerous because deceptive or inconsistent labeling undermines trust and can conceal collection or behavior that users would not expect from the advertised skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill omits a prominent warning that all inputs are automatically persisted to local timestamped logs and may later be exported. In the context of competitor analysis, users are likely to enter sensitive strategic, commercial, or confidential information, so silent retention materially increases the chance of data leakage to other local users, backups, or accidental sharing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script persistently records all user-supplied input into local log files without an up-front warning or consent prompt. In the context of competitor analysis, those inputs may contain confidential business strategy, market intelligence, customer lists, or other sensitive data, so silent retention materially increases confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal