ClawHub

Competitor Parser

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a visible competitor-scraping workflow, but it includes under-scoped external sharing to a hardcoded Telegram target and privileged setup guidance that users should review carefully.

Before installing, verify that `competitors_scraper.py` is actually present and trusted in your workspace, replace or remove the hardcoded Telegram target before sending anything, review the CSV for confidential notes or business intelligence, and run any `sudo apt-get` dependency installation manually only in an environment where those system changes are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the user to run a scraper and describes multiple external data sources, but it does not clearly warn that execution will make outbound HTTP requests and create local output files. In an agent setting, this can lead to unexpected network activity, third-party data collection, and local data persistence without informed user consent or operator awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Telegram integration example shows sending the generated competitor report to an external messaging service, but it does not warn that potentially sensitive or proprietary collected data will leave the local environment. This creates a risk of unintentional data exfiltration, especially if the skill is used with internal analysis, enriched notes, or non-public business intelligence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal