ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Competitor Intel Monitor

v1.0.0

Monitor competitors' websites, social media, pricing, and product changes automatically. Use when the user wants to track competitor activity, detect website...

0· 229·1 current·1 all-time
byJohn Wang@johnnywang2001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script performs expected tasks for basic competitor monitoring: fetching pages, extracting text, diffing, saving snapshots and history under ~/.openclaw. However, the skill description and SKILL.md promise additional capabilities (social/X monitoring, Telegram alert delivery, built-with tech detection, detailed SEO analysis) that are not implemented in scripts/monitor.py. This is an overclaim rather than a direct malicious mismatch.
Instruction Scope
Runtime instructions only call the bundled Python script with CLI commands (add, check, history, report). The instructions reference the config path and data directory that the script actually uses. The instructions do not ask the agent to read unrelated system files or transmit data to external endpoints beyond fetching the competitor URLs (which is expected).
Install Mechanism
No install spec present; this is an instruction-only skill with a bundled Python script. Nothing is downloaded or installed automatically by the skill package itself.
Credentials
The skill declares no required environment variables or credentials and the script does not attempt to read any secrets. It writes config and data files under the user's home (~/.openclaw). The apparent alertChannel (telegram) in config is not implemented in code, so there is no hidden requirement for messaging credentials.
Persistence & Privilege
The skill does persist state to ~/.openclaw/competitor-monitor.json and ~/.openclaw/competitor-data, which is expected for this type of tool. It does not request always:true, nor does it modify other skills or system-wide agent settings.
What to consider before installing
This skill's code is simple and runs locally: it fetches URLs you configure and stores snapshots and a history under ~/.openclaw. Before installing or running it, consider: 1) The README over-promises — social/Twitter monitoring, Telegram alerts, built-with/SEO detection are advertised but not present in the script. Don't expect those features to work without additional code. 2) The script will fetch arbitrary URLs you add; if you or the agent add internal/localhost URLs it can reach internal services — run it in a network-restricted environment if that's a concern. 3) It writes data to your home directory (~/.openclaw); review those files and permissions. 4) If you need alerting (Telegram, Slack, etc.) or social API integration, implement and review those integrations yourself and avoid pasting secrets into config unless you trust the code. If you want a fully featured tool, either extend this script carefully or choose a vetted product. If you need me to, I can point out exactly where to add Telegram or Twitter code and what credentials would be required.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ede38znhgh5dwg8vy4fx5c582m0dp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments