Back to skill
Skillv2.0.0
ClawScan security
Rivalwatch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 11:03 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions are consistent with its stated purpose: a local CLI that logs and exports competitor notes to ~/.local/share/rivalwatch with no network access or extra credentials required.
- Guidance
- This skill appears to do what it says: a local, file-backed CLI for logging and exporting competitor intel. Before installing, note that it will create and write files under ~/.local/share/rivalwatch (logs and export files), so do not store secrets there if you need them private. There are some minor implementation issues (e.g., JSON export uses simple printf/echo and may produce invalid JSON when entries contain quotes or newlines), but those are quality issues rather than security red flags. If you trust the source (BytesAgain) and are comfortable with local files being created/edited, the skill is reasonable to install. If you need stronger guarantees, review the full script locally or run it in a sandboxed account first.
Review Dimensions
- Purpose & Capability
- okName/description (competitor analysis, SWOT, exports) match the delivered functionality: a Bash CLI that logs entries, shows stats, searches logs, and exports data. No unrelated credentials, binaries, or cloud access are requested.
- Instruction Scope
- okSKILL.md instructs the agent to use the CLI and references only the data directory (~/.local/share/rivalwatch). The included script only reads/writes files inside that directory and uses standard Unix tools. It does create and append logs there (expected for this tool).
- Install Mechanism
- okInstruction-only with a single shipped shell script; there is no install spec that downloads or executes remote code. This is low-risk and proportionate for a small CLI utility.
- Credentials
- okNo required environment variables, credentials, or config paths beyond $HOME. The script only reads/writes its own data directory; requested environment access is minimal and appropriate.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide changes or modify other skills. It persists only by creating files under the user's home data directory, which is expected behavior for a local CLI.