ClawHub

GEO Competitor Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent competitor website scanner that makes user-directed web requests and can save a local report, with no evidence of hidden credential use, persistence, exfiltration, or destructive behavior.

Install only if you are comfortable making HTTP requests to the brand and competitor domains you provide. Use reasonable competitor lists, respect site terms and rate limits, install Python dependencies from trusted sources, and save reports to a non-sensitive path you intentionally choose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs users to run Python scripts that perform network access against third-party domains and write output files, but the skill declares no permissions or warnings about those capabilities. This creates a transparency and governance gap: users or orchestration systems may invoke a skill with broader operational effects than expected, including outbound requests and local artifact creation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger language is broad enough to match general requests about AI search performance, content analysis, or strategic gaps, which could cause the skill to activate outside a narrowly intended competitor-scanning workflow. Over-broad activation increases the chance of unintended network scans or report generation on third-party sites when the user did not explicitly request that level of action.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The documentation omits clear notice that the skill analyzes third-party competitor websites and stores derived reports locally. While this is not inherently malicious, lack of disclosure can lead to surprise data collection, retention, or compliance issues, especially in managed environments where scanning external properties and saving artifacts should be explicit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal