Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Competitor Analyzer

v1.0.0

Generates a detailed report on a company's market position, pricing, social activity, recent news, and strengths by analyzing its name or URL.

0· 544·1 current·1 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The script implements the stated competitor-analysis functionality (web searches, report generation). It reasonably requires internet access and curl. However SKILL.md omits a dependency on python3 (the script calls python3 multiple times), which is inconsistent with the declared requirements.
!
Instruction Scope
The script only performs web searches, writes a markdown report to the current directory, and prints it — consistent with the stated purpose. However the script injects the untrusted search string directly into a python -c invocation, enabling arbitrary Python code execution if a malicious company name is passed. The script also writes files to the working directory (competitor-report-*.md) which may overwrite files if names collide.
Install Mechanism
This is an instruction-only skill with a bundled script and no install spec — low install risk (nothing is downloaded or installed automatically).
Credentials
No credentials, environment variables, or external tokens are requested. The need for internet access is proportional to the task. The missing explicit mention of python3 in SKILL.md is a documentation gap but not a signalling of unnecessary privileges.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system-wide settings. It runs as a normal script with no elevated privileges.
What to consider before installing
This skill does what it claims (runs web searches and writes a report), but the bundled analyze.sh is unsafe to run with untrusted input because it interpolates the user-supplied company string directly into python -c, allowing arbitrary Python code execution. Before using: 1) Do not run the script on inputs from untrusted sources or external agents. 2) Fix the injection by passing the query as a python argument instead of embedding it in code. Example safe replacement: replace the call python3 -c "import urllib.parse; print(urllib.parse.quote('$query'))" with python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" -- "$query" (or URL-encode with a POSIX-safe tool) so the query is passed as argv rather than injected into the code string. 3) Update SKILL.md to list python3 as a required binary and mention that the script writes competitor-report-*.md to the current directory. 4) Run the script in a sandbox or throwaway directory until you (or someone you trust) audits it. If you cannot patch or audit the script, treat the skill as unsafe and avoid installing/invoking it from untrusted agents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9776v75e99a0q2b8v83z2e2f581meqx
544downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0

Competitor Analyzer

Analyze any company's competitive position in minutes. Takes a company name or URL and produces a structured report covering what they do, pricing, social presence, and recent news.

Usage

./analyze.sh <company_name_or_url>

Example

./analyze.sh "Notion"
./analyze.sh "https://linear.app"

Output

A structured competitive analysis report with:

  • Company Overview — What they do, market position
  • Pricing Analysis — Plans, tiers, free tier details
  • Social Presence — Twitter, LinkedIn, GitHub activity
  • Recent News — Latest announcements, funding, launches
  • Strengths & Weaknesses — Quick SWOT-lite summary

Requirements

  • curl (standard)
  • Internet access for web searches
  • Works best when run by an AI agent with web_search tool access

How It Works

The script uses web search queries to gather intel, then formats results into a clean markdown report. When run by an OpenClaw agent, it leverages the web_search tool for richer results. Standalone mode uses curl + DuckDuckGo.

Comments

Loading comments...