ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Market Radar

v1.0.0

Industry hotspot and competitor monitoring across 5 dimensions. Use when user (in Chinese) asks to monitor an industry (监测...行业) and provides competitor URLs...

0· 215·2 current·2 all-time
bydouble@law52525
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (competitor & industry monitoring) matches the SKILL.md instructions to perform multi‑source web research and a 5‑dimension competitor scan. Requiring an 'agent-browser' binary is coherent with the explicit mandate to use a CLI browser for snapshots. However, the SKILL.md promises delivery 'via Telegram' yet the registry metadata and requires.env declare no Telegram credentials or delivery mechanism — that mismatch is unexplained.
Instruction Scope
Instructions are detailed and narrowly scoped to English-language, international sources and a defined five-step scan. The skill mandates using the agent-browser CLI for all browsing (no fallback), persistent sessions, snapshot/screenshot actions, and scraping of specific selectors and keyword checks (references/monitoring-rules.md). This is appropriate for the stated purpose, but it also means the agent will perform extensive live web requests and capture page snapshots — confirm you are comfortable with that network access and that target URLs are public. The Telegram delivery step is referenced but not specified in runtime steps (no commands or credentials shown).
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. It only requires that an 'agent-browser' binary exists on PATH; nothing in the skill pulls executables or downloads code.
!
Credentials
The skill declares no required environment variables or credentials, yet the SKILL.md describes automatic delivery of results via Telegram. Sending messages to Telegram requires a bot token and chat identifiers (or other delivery credentials). The absence of any declared env vars (TELEGRAM_TOKEN, TELEGRAM_CHAT_ID, etc.) or guidance on how to wire delivery is an incoherence that could mean the skill is incomplete or relies on undocumented platform-level secrets. Otherwise, requested access (web browsing) is proportionate for the task.
Persistence & Privilege
always:false and no install hooks or config writes are present. The skill can be invoked autonomously by the agent (platform default), which is expected for skills that perform automated monitoring; there is no evidence it requests permanent elevated privileges or modifies other skills.
What to consider before installing
This skill appears to be a legitimate market‑monitoring workflow, but it has one important mismatch you should resolve before using it: the instructions say results will be delivered via Telegram but the skill declares no Telegram token/chat configuration. Ask the publisher how delivery is implemented and where to supply a bot token/chat id; do not provide credentials until you confirm the intended flow. Also verify that you want the agent to perform live browsing (it will visit public competitor sites and take snapshots), and confirm agent-browser will run in a safe environment with network access. If you plan to allow autonomous runs, be aware the agent can perform repeated web requests on its own — ensure that behavior and any data retention/logging are acceptable. If these questions are answered satisfactorily (especially delivery credentials), the remaining design is coherent.

Like a lobster shell, security has layers — review code before you run it.

latestvk971jt056tg8cxvmx8gvtf0jyx82rfkm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
Binsagent-browser

Comments