ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

competitive-ops

v1.0.0

AI competitive intelligence pipeline -- analyze competitors, generate reports, track changes

0· 42·0 current·0 all-time
by@dalianmao000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (competitive intelligence pipeline) aligns with included files (report templates, pricing analyzer, export scripts, many sample reports) and the SKILL.md instructions. Required env/configs declared are minimal and consistent (Tavily is opt‑in).
!
Instruction Scope
SKILL.md instructs the agent to read and write local project files (data/competitors.md, reports, snapshots) which is expected. However it also directs running external installs and commands (npx playwright install, npx uipro-cli init, pip install -r requirements.txt) and refers to running a silent update checker (node update-system.mjs check) on first message. The manifest does not clearly include update-system.mjs (instruction references a script that appears missing), which is an incoherence and a potential red flag because an absent-or-remote updater can change runtime behavior. The skill also uses web-search/web-fetch/Tavily fallbacks — network calls are expected for this purpose but will transmit queries externally.
Install Mechanism
There is no packaged install spec; this is instruction-driven. The setup steps rely on npx (npm packages) and pip installs and Playwright browser downloads. Those are standard for the functionality (HTML/PDF export, screenshots), but they pull code/binaries from the network at install time — a moderate operational risk that should be run manually and reviewed in a controlled environment.
Credentials
The skill declares no required environment variables and no primary credential; Tavily API key is optional and explicitly opt‑in in the docs. No unrelated credentials are requested. This is proportionate to a tool that optionally uses an external search service.
Persistence & Privilege
always:false and no declared requests to modify other skills or system-wide configs. However the SKILL.md/CLAUDE.md instructs running an 'update checker' on session start and mentions monitor/loop modes for scheduled monitoring — these enable persistent or recurring network activity if exercised. Because the referenced updater script is not visible in the manifest, this behavior should be audited before allowing autonomous execution.
What to consider before installing
What to check before installing or running this skill: - Review the repository locally first: the code and scripts (scripts/*.py, export_pdf.js, export_image.js) are present and consistent with the described functionality — but always inspect them before executing. - The setup steps call npx and pip (and Playwright which downloads browser binaries). Run these manually in an isolated environment (use a Python virtualenv, and consider a disposable VM/container) rather than letting an agent run them unattended. - The README/CLAUDE.md instructs a silent update check (node update-system.mjs check). I could not find that script in the provided manifest — this mismatch is a warning. If an updater exists or is downloaded later, inspect its code and network endpoints before allowing it to run, because updaters can change behavior or pull remote code. - Tavily is optional: only set TAVILY_API_KEY if you trust that service. Do not put other secrets into environment variables for this skill. - The skill performs network research (web-search, web-fetch, and optional Tavily). Expect outbound network calls and that search metadata (company names, queries) will leave your environment. If that is sensitive, do not enable external search fallback or run in an environment with restricted network access. - If you want to use HTML/PDF export features, confirm you are comfortable installing uipro-cli and Playwright (these will download code/binaries from npm and Playwright's browser hosts). Bottom line: the project appears coherent for its purpose, but the missing/ambiguous updater reference and the need to run external installers/downloaders justify caution — inspect any updater script, run installs manually in an isolated environment, and only provide API keys (Tavily) when intentionally opting in.

Like a lobster shell, security has layers — review code before you run it.

latestvk978n3pb3kpgdbe6dcwdtnq6bx84fzz8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments