Skillv1.0.0

ClawScan security

competitor-monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 9:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested actions (web research across public sources and producing a single-file HTML report) match its stated purpose and there are no unexpected installs, env vars, or other privileges requested.
Guidance: This skill appears coherent and does what it says: crawling public sources and producing a single-file HTML competitor report. Before installing, consider: (1) confirm the agent platform allows outbound web access and whether rate limits / robots.txt policies are respected — some sources (LinkedIn, news sites) may require logins or block scrapers; (2) the skill will collect and present public personal posts (founders' X/社媒) — ensure this fits your privacy/legal constraints; (3) if you plan to supply any credentials (to access private pages), do so cautiously — the skill currently does not request them and its instructions say it will not access paywalled content; (4) validate the generated HTML before sharing (it will inline source URLs and data); (5) if you need guarantees about scraping behavior (politeness, rate limits, avoiding automated login), ask the author for more detail or run a small test request first. Overall, nothing in the bundle appears disproportionate or hidden.

Purpose & Capability: okName/description (competitor research, monitoring, and analysis) align with the instructions: the SKILL.md describes crawling public web sources (site, blog, Product Hunt, Crunchbase, GitHub, X, LinkedIn) and producing a structured HTML report. No credentials, binaries, or unrelated capabilities are requested.
Instruction Scope: noteInstructions explicitly require '始终联网搜索' and enumerate many public sources; they also require collecting founders' public social posts and LinkedIn/company pages. The SKILL.md states it will not attempt to access paywalled/non-public data, and will cite sources. Note: some sources (LinkedIn, certain news sites) may appear public but require login or block scraping; the skill does not request credentials but may fail or attempt repeated requests if the agent's web access is constrained.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is low risk — nothing is written to disk or fetched as an installation artifact.
Credentials: okNo environment variables, no credentials, and no config paths are requested. The data sources enumerated are consistent with the claimed purpose, so credential/request footprint is proportionate.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request permanent presence or system-level configuration changes.