ClawHub

Competitor Change Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed competitor website monitoring tool that fetches configured sites and stores local reports, with some operational privacy and scheduling caveats users should understand.

Before installing, confirm the competitor URLs, monitoring frequency, timezone, and any email or Slack destinations. Use it for public pages you are allowed to monitor, avoid excessive polling, and be aware that snapshots and reports may contain copied competitor content stored locally or sent through your chosen integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly describes continuous web scraping, scheduled monitoring, and email/Slack report delivery, but it does not clearly warn users that third-party sites will be fetched repeatedly and that collected competitor content or analysis may be transmitted to external delivery channels. This creates a meaningful transparency and data-handling risk: users may enable monitoring without understanding network activity, terms-of-use implications, or where generated intelligence is sent.

Natural-Language Policy Violations

Low
Confidence
76% confidence
Finding
The example configuration hard-codes the timezone to "America/New_York" without clearly indicating that the user should choose or confirm their own locale. While not a direct exploit vector, this can cause reports and alerts to run at unintended times, leading to operational confusion or missed notifications in a monitoring workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal