DoctorClaw Competitor Watch

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal competitor-monitoring skill, with some privacy and activation wording users should understand before enabling alerts.

Install only if you are comfortable with competitor-monitoring reports being written to files or sent to the external channels you configure. Use explicit prompts, review channel settings before enabling alerts, and avoid including confidential internal strategy in reports sent to Telegram or Discord.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The invocation example "What are my competitors up to?" is broad, conversational language that can easily overlap with normal user speech. In systems that auto-route based on semantic similarity or trigger phrases, this can cause unintended activation of the skill, leading to unplanned web scraping, report generation, or outbound notifications using configured delivery channels.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill supports sending reports via Telegram, Discord, or files, but it does not clearly warn users that monitored competitor data and comparative business context may be transmitted to external services. This creates a data-handling risk because sensitive internal positioning, competitor intelligence, and alert contents could be shared outside the local environment without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal