Skillv1.0.0

ClawScan security

Competitor Intel Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 10, 2026, 2:49 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The code implements a simple page-diffing competitor monitor that stores snapshots locally, but the skill's description and SKILL.md advertise features (Twitter/social monitoring, Telegram alerts, built-with/SEO detection, scheduled alert integrations) that the included code does not implement — an incoherence that could mislead users.
Guidance: This skill's code is simple and runs locally: it fetches URLs you configure and stores snapshots and a history under ~/.openclaw. Before installing or running it, consider: 1) The README over-promises — social/Twitter monitoring, Telegram alerts, built-with/SEO detection are advertised but not present in the script. Don't expect those features to work without additional code. 2) The script will fetch arbitrary URLs you add; if you or the agent add internal/localhost URLs it can reach internal services — run it in a network-restricted environment if that's a concern. 3) It writes data to your home directory (~/.openclaw); review those files and permissions. 4) If you need alerting (Telegram, Slack, etc.) or social API integration, implement and review those integrations yourself and avoid pasting secrets into config unless you trust the code. If you want a fully featured tool, either extend this script carefully or choose a vetted product. If you need me to, I can point out exactly where to add Telegram or Twitter code and what credentials would be required.

Review Dimensions

Purpose & Capability: noteThe script performs expected tasks for basic competitor monitoring: fetching pages, extracting text, diffing, saving snapshots and history under ~/.openclaw. However, the skill description and SKILL.md promise additional capabilities (social/X monitoring, Telegram alert delivery, built-with tech detection, detailed SEO analysis) that are not implemented in scripts/monitor.py. This is an overclaim rather than a direct malicious mismatch.
Instruction Scope: okRuntime instructions only call the bundled Python script with CLI commands (add, check, history, report). The instructions reference the config path and data directory that the script actually uses. The instructions do not ask the agent to read unrelated system files or transmit data to external endpoints beyond fetching the competitor URLs (which is expected).
Install Mechanism: okNo install spec present; this is an instruction-only skill with a bundled Python script. Nothing is downloaded or installed automatically by the skill package itself.
Credentials: okThe skill declares no required environment variables or credentials and the script does not attempt to read any secrets. It writes config and data files under the user's home (~/.openclaw). The apparent alertChannel (telegram) in config is not implemented in code, so there is no hidden requirement for messaging credentials.
Persistence & Privilege: okThe skill does persist state to ~/.openclaw/competitor-monitor.json and ~/.openclaw/competitor-data, which is expected for this type of tool. It does not request always:true, nor does it modify other skills or system-wide agent settings.