Competitor Analyzer
v1.0.0Generates a detailed report on a company's market position, pricing, social activity, recent news, and strengths by analyzing its name or URL.
⭐ 0· 544·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The script implements the stated competitor-analysis functionality (web searches, report generation). It reasonably requires internet access and curl. However SKILL.md omits a dependency on python3 (the script calls python3 multiple times), which is inconsistent with the declared requirements.
Instruction Scope
The script only performs web searches, writes a markdown report to the current directory, and prints it — consistent with the stated purpose. However the script injects the untrusted search string directly into a python -c invocation, enabling arbitrary Python code execution if a malicious company name is passed. The script also writes files to the working directory (competitor-report-*.md) which may overwrite files if names collide.
Install Mechanism
This is an instruction-only skill with a bundled script and no install spec — low install risk (nothing is downloaded or installed automatically).
Credentials
No credentials, environment variables, or external tokens are requested. The need for internet access is proportional to the task. The missing explicit mention of python3 in SKILL.md is a documentation gap but not a signalling of unnecessary privileges.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system-wide settings. It runs as a normal script with no elevated privileges.
What to consider before installing
This skill does what it claims (runs web searches and writes a report), but the bundled analyze.sh is unsafe to run with untrusted input because it interpolates the user-supplied company string directly into python -c, allowing arbitrary Python code execution. Before using: 1) Do not run the script on inputs from untrusted sources or external agents. 2) Fix the injection by passing the query as a python argument instead of embedding it in code. Example safe replacement: replace the call
python3 -c "import urllib.parse; print(urllib.parse.quote('$query'))"
with
python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" -- "$query"
(or URL-encode with a POSIX-safe tool) so the query is passed as argv rather than injected into the code string. 3) Update SKILL.md to list python3 as a required binary and mention that the script writes competitor-report-*.md to the current directory. 4) Run the script in a sandbox or throwaway directory until you (or someone you trust) audits it. If you cannot patch or audit the script, treat the skill as unsafe and avoid installing/invoking it from untrusted agents.Like a lobster shell, security has layers — review code before you run it.
latest
Competitor Analyzer
Analyze any company's competitive position in minutes. Takes a company name or URL and produces a structured report covering what they do, pricing, social presence, and recent news.
Usage
./analyze.sh <company_name_or_url>
Example
./analyze.sh "Notion"
./analyze.sh "https://linear.app"
Output
A structured competitive analysis report with:
- Company Overview — What they do, market position
- Pricing Analysis — Plans, tiers, free tier details
- Social Presence — Twitter, LinkedIn, GitHub activity
- Recent News — Latest announcements, funding, launches
- Strengths & Weaknesses — Quick SWOT-lite summary
Requirements
curl(standard)- Internet access for web searches
- Works best when run by an AI agent with
web_searchtool access
How It Works
The script uses web search queries to gather intel, then formats results into a clean markdown report. When run by an OpenClaw agent, it leverages the web_search tool for richer results. Standalone mode uses curl + DuckDuckGo.
Comments
Loading comments...