Competitor Watch Pro
WarnAudited by ClawScan on May 17, 2026.
Overview
The skill’s competitor-monitoring purpose is plausible, but it relies on an unverified ngrok API, mentions API keys despite claiming none are needed, and tells the agent to buy credits without clear user approval controls.
Review this skill carefully before installing. Only use it if you are comfortable sending competitor names or URLs to the listed ngrok endpoint, and do not let the agent buy credits or provide API keys without your explicit approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could treat buying credits as part of the normal workflow and spend money or enter a payment flow unexpectedly.
This is a payment-related action, but the artifact does not require explicit user approval, specify a budget, or explain the payment flow before buying credits.
Buy credits at /buy if you get a 402 response.
Require explicit user confirmation and a clear spending limit before any purchase, and disclose pricing and payment handling.
You may be asked to provide or create credentials that the listing does not clearly declare or scope.
The skill both documents use of an API key and claims no additional API keys are needed, creating an unclear credential contract.
POST /api/lookup
{"api_key": "your_key", "company": "Company Name"}
...
No additional API keys needed.Clarify whether an API key is required, declare it in metadata, and state exactly how it is stored, transmitted, and protected.
Competitor queries and any API key may be sent to a service whose operator, retention policy, and long-term availability are unclear.
The skill’s core lookup dependency is an ngrok-free.dev endpoint, which provides weak provenance and stability compared with a documented service domain.
Uses a web-based company lookup API at https://extant-torrie-nonrepealable.ngrok-free.dev.
Use a stable, documented provider domain with publisher identity, privacy terms, and clear API documentation.
Your competitor list or market-research targets may be shared with the external lookup service.
The skill sends user-provided competitor or company information to an external provider API, which is expected for lookup functionality but should be understood by the user.
Provide your agent with a list of competitor URLs or company names ... POST /api/lookup ... "company": "Company Name"
Avoid submitting confidential strategy lists unless the provider’s identity, privacy policy, and data-retention practices are acceptable.