Skillv1.0.0

ClawScan security

Competitor Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 22, 2026, 6:39 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (web-scraping competitive analysis), ask for no secrets, and do not contain hidden endpoints or obfuscated behavior.
Guidance: This skill appears to do what it says: it scrapes public search results and builds a markdown report. Before installing or running it, note the following: (1) the script uses curl and python3 even though the registry metadata lists no required binaries — ensure curl and python3 are present. (2) It queries DuckDuckGo HTML (https://html.duckduckgo.com/html/) and parses the returned HTML; this is scraping and may be brittle or return incomplete results. (3) The script writes a report file to your current working directory; run it in a location where writing is safe. (4) There are no credentials requested and no hidden/external endpoints in the code, but as with any script, inspect it yourself and run it in an isolated environment if you have concerns. If you plan to let an agent run this autonomously, be aware the agent will perform web searches on your behalf (no secrets are sent).

Purpose & Capability: noteThe skill's name and description match what the files do: gather public web search results and produce a markdown report. Minor inconsistency: the registry metadata lists no required binaries, but both SKILL.md and analyze.sh require curl and python3 (the script calls curl and invokes python3 for URL encoding and HTML parsing). This is likely a documentation/metadata omission rather than malicious.
Instruction Scope: okSKILL.md instructs running the bundled analyze.sh and (optionally) using the agent's web_search tool. The script only performs web searches against DuckDuckGo HTML, parses public search snippets, formats a report, and writes it to the current working directory. It does not read other files, access environment variables, or send data to unexpected third-party endpoints.
Install Mechanism: okNo install spec is provided (instruction-only with an included script). No external archives or downloads are performed. The script is run locally and uses system utilities (curl, python3).
Credentials: okThe skill requests no credentials, secrets, or config paths. The script does not reference any environment variables or require access to unrelated services.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It writes a report file to the current directory (expected behavior) and prints it to stdout.