Competitor Analyzer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its advertised competitor-report purpose, but its script unsafely embeds the company name into a Python command, so a crafted input could run local code.
Install only if you are comfortable reviewing or fixing the shell script first. The public-web research behavior is normal for this skill, but avoid running it on arbitrary company names or URLs until the Python command construction is made safe.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user analyzes a maliciously crafted company name or URL, the script could run unintended code on the user's machine.
The company name is user-controlled and is interpolated directly into Python source code passed to python3 -c. A quote in the input can break out of the string and execute unintended Python code locally.
COMPANY="${1:?Usage: ./analyze.sh <company_name_or_url>}" ... local query="$1" ... python3 -c "import urllib.parse; print(urllib.parse.quote('$query'))"Do not run this version on untrusted input. Fix it by passing the query as an argument or stdin to Python, for example: python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$query".
The skill may fail or behave differently depending on local system binaries that were not fully declared in the registry metadata.
The script depends on local curl and python3, while the registry metadata declares no required binaries. This is a dependency-disclosure issue rather than evidence of malicious installation.
curl -sL "https://html.duckduckgo.com/html/?q=$(python3 -c ... )"
Declare curl and python3 as required binaries in the metadata, or document the dependency clearly before users run the script.