ClawHub

Competitor Monitoring

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, local competitor-tracking assistant with no executable code, credential use, or evidence of data exfiltration.

Before installing, decide whether you want proactive monitoring or on-demand use only. Review or delete the ~/competitor-monitoring/ folder periodically if it may contain sensitive strategy notes, vulnerabilities, priorities, or competitive analyses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'When to Use' section is broad enough that ordinary competitor-related conversation could trigger the skill without clear user intent. In an agent environment, overly permissive activation can cause unnecessary file access, dossier updates, or workflow changes that the user did not explicitly request, creating privacy and integrity risks in local memory.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger-based rules ('User mentions competitor', 'Industry news', 'User launches feature') are ambiguous and encourage automatic refresh/update behavior on weak signals. This can lead to unintended invocation, unsolicited persistence of data, and autonomous actions such as dossier modification without explicit consent, which is risky even though the skill is framed as local-only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup instructs the agent to persist user preferences to a file in the home directory early in the interaction, but it does not require clear disclosure or consent before creating local state. This can surprise users, create unintended retention of potentially sensitive competitive intelligence, and normalize silent persistence behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup directs the skill to create and maintain multiple competitor dossier files under the user's home directory without warning that these files will persist and be updated over time. Because the contents may include sensitive business strategy, competitor concerns, and positioning notes, silent multi-file persistence increases privacy, confidentiality, and surprise-retention risk.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal