Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Competitor Parser
v1.0.0Автоматический сбор и анализ данных о конкурентах в робототехнике из Google и базы знаний с выводом рейтинга, цен и адресов.
⭐ 0· 52·1 current·1 all-time
by@larthe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (collect competitor data) is plausible, but the SKILL.md lists files (competitors_scraper.py, data files, docs) that are not present in the package. It also suggests using Selenium+Chromium and accessing Yandex/2GIS/VK APIs — capabilities that would require additional binaries/credentials not declared by the skill.
Instruction Scope
Runtime instructions tell the agent/user to cd into a hardcoded path (/home/larthe/.openclaw/workspace) and run a local Python script that is not bundled. The doc recommends installing system packages (sudo apt-get install chromium), enabling browser automation, and shows a command that sends data via openclaw to a Telegram target. These steps involve reading local files, installing system software, and transmitting scraped data externally — none of which are constrained or accompanied by declared credentials or safeguards.
Install Mechanism
There is no install spec in the registry (instruction-only), which is low risk by itself. However, the instructions explicitly recommend installing Chromium/driver via apt-get and switching to Selenium, which requires privileged package installation and additional binaries on the host (manual, outside the package).
Credentials
The skill declares no required environment variables or credentials, yet the instructions say full parsing needs Yandex API keys, VK authorization, and implicit ability to send Telegram messages. Those credentials are not declared nor constrained, creating a mismatch and risk of ad-hoc secret usage or misconfiguration.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false). Still, instructions encourage system package installation (sudo apt-get) and file I/O in a user workspace — actions that require elevated privileges or can modify the host. Autonomous invocation is allowed by default, so if the agent later is given the missing script, it could be executed without further review.
What to consider before installing
This package is just an instruction file that references a local Python scraper and other files which are not included. Do not run the suggested commands as-is. Before using: (1) request the missing competitors_scraper.py and related code and review it line-by-line; (2) confirm exactly which credentials (Yandex API key, VK token, Telegram channel/token) the skill needs and ensure they are only granted if necessary; (3) avoid running sudo apt-get or enabling browser automation on a production machine — test in an isolated VM/container; (4) be cautious about the openclaw message send example because it would transmit scraped data to an external Telegram target; (5) prefer a version of the skill that bundles code or points to a verifiable source (GitHub release) and that declares its required environment variables and install steps explicitly.Like a lobster shell, security has layers — review code before you run it.
latestvk9715yhhpfmgj6d6xnyb5etq7x83v0j1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.