ClawHub

competitor-monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed competitor-research helper that uses public web sources to create HTML reports, with privacy and trigger-scope caveats but no hidden or destructive behavior.

Install only if you are comfortable with the agent doing public web research about named companies and creating a shareable HTML report. Avoid including confidential strategy, customers, or internal business details unless you intend them to be used in the report, and review generated HTML before sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, natural-language requests that can easily match ordinary conversation, causing the skill to activate in contexts where the user did not explicitly intend competitor monitoring. Because this skill performs network-dependent research and generates reports, accidental invocation can lead to unintended external queries, data handling, or misleading workflow execution.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README states that the skill depends on network access and may use an external API, but it does not warn users that company names, user prompts, or generated report content may be transmitted to third parties. In a monitoring/research skill, this omission increases the risk of unintentional disclosure of sensitive business interests, internal research targets, or prompt data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill advertises very broad, everyday trigger phrases such as '分析一下 [公司]' and '研究一下 [公司]', which can overlap with ordinary conversation and cause unintended invocation. That creates a prompt-routing and context-leakage risk: the agent may launch web research and produce a detailed report when the user did not explicitly intend to invoke this skill, potentially sending user context into external lookups or generating unnecessary external-facing artifacts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to default fuzzy requests like '帮我研究 [公司]' into analysis mode means the skill will take autonomous action on ambiguous input instead of clarifying user intent. In this skill's context, that is more dangerous because analysis mode explicitly performs networked collection and produces a structured report, so an accidental invocation can amplify privacy, compliance, and cost risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal