Competitor Analyzer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s competitor-research purpose is coherent, but its script can execute unintended local Python code if given a crafted company name or URL.
Only install or run this after the input-handling bug is fixed, especially if an agent might pass in company names from webpages, messages, or other untrusted sources. The public web-search behavior itself is expected for a competitor-analysis tool, but the script should safely treat the company name as data, not executable code.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user runs the script with attacker-controlled text as the company name or URL, it could execute commands on the local machine under the user’s privileges.
The user-controlled company/search text flows into Python source code inside single quotes instead of being passed as data. A crafted value containing quote/parenthesis characters could break out of the string and run arbitrary Python code locally.
COMPANY="${1:?Usage: ./analyze.sh <company_name_or_url>}" ... local query="$1" ... python3 -c "import urllib.parse; print(urllib.parse.quote('$query'))"Do not run this script on untrusted company names until fixed. Pass the query to Python as an argument, for example `python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$query"`, and consider validating or rejecting control characters.
The skill may fail or rely on local Python even though the registry does not advertise that requirement.
The included script invokes `curl` and `python3`, and SKILL.md only explicitly lists `curl`. The missing binary declarations can surprise users or cause runtime failures, though there is no hidden installer or remote dependency download.
Required binaries (all must exist): none; Required binaries (at least one): none
Declare `curl` and `python3` in the skill metadata and SKILL.md, or remove the Python dependency by using a safer built-in URL-encoding approach.