ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Battlecard: Competitive Intelligence

v1.5.0

Know your competitor's weaknesses before the call. Practice your pitch against an AI buyer. Capture intel after every deal. 11 tools for sales teams. Free ti...

1· 116·0 current·0 all-time
by@ivo-gos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to provide battle cards, objection handlers, comparisons, and simulations and the included scripts call a remote Battlecard MCP endpoint to implement those functions. The network calls, persona options, and simulation flow align with the stated purpose. Note: registry metadata at the top of the report said “Required env vars: none” while skill.json and SKILL.md declare BATTLECARD_API_KEY — this is a minor inconsistency (the key appears optional in the scripts).
Instruction Scope
SKILL.md explicitly instructs the agent to run the provided scripts and to POST user-provided company/competitor/messages to https://battlecard.northr.ai/mcp. That behavior is expected for this service, but it means user-provided pitches, meeting notes, and any pasted content will be transmitted to the remote service. There are no instructions to read unrelated system files or secrets beyond the optional API key.
Install Mechanism
No install spec or downloads; this is an instruction-only skill with included shell scripts. Nothing writes arbitrary external code to disk or downloads remote archives—scripts are local and self-contained.
Credentials
Only one environment variable is referenced (BATTLECARD_API_KEY) and is used as an optional header for higher tiers. That is proportional to the purpose. However, registry metadata in the summary contradicted the manifest: the top-level requirement listing said no env vars while the SKILL.md and skill.json declare BATTLECARD_API_KEY (primaryEnv). The scripts work without the key but the key is required for unlimited access—this mismatch should be clarified by the publisher before trusting the package.
Persistence & Privilege
The skill does not request always: true, does not modify other skill configs, and does not request elevated system privileges. It only provides user-invocable tools and uses local scripts to call an external API.
Assessment
This package appears to be what it claims: a client that sends company/competitor data and user messages to battlecard.northr.ai for battle cards and simulations. Before installing or using it, verify the domain and publisher (source is unknown here), decide whether you are comfortable sending sales pitches, call notes, or customer data to that external service, and avoid including secrets or sensitive PII in requests. Also note the minor metadata mismatch about required env vars (BATTLECARD_API_KEY is declared in the manifest but the registry summary said none) — treat the API key as optional but necessary for paid/unlimited access. If you need higher assurance, ask the publisher to clarify the env var requirement and review their privacy/terms and server-side handling of uploaded content.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791z05z13a00apzgknhdpm8583jzaq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments