ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Market Research

v1.0.0

Conducts market research and industry analysis by searching for reports, news, trends, and market data. Use when the user mentions 'market research,' 'indust...

0· 149·0 current·0 all-time
byMario Karras@mariokarras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform market research and instructs the agent to perform web searches and occasional scraping, which is coherent with the stated purpose. However, the SKILL.md explicitly invokes Node-based helper scripts (node tools/clis/exa.js and node tools/clis/firecrawl.js) and references local tool paths that are not included in the skill bundle and are not listed in required binaries or install steps.
Instruction Scope
Instructions mainly stay within the market-research scope (ask clarifying questions, search, optionally scrape specific reports, synthesize results). They do instruct reading a local context file (.agents/product-marketing-context.md or .claude/...), which is reasonable. They also permit scraping of external report URLs — acceptable for this purpose but worth auditing since scraping can download and process arbitrary external pages and might capture sensitive content.
!
Install Mechanism
There is no install spec and no code files bundled. Yet the runtime commands rely on local Node scripts under tools/clis/*. Because those helper scripts are not provided and no installation instructions are present, the skill assumes an environment configuration that may not exist. This mismatch is an incoherence: either the skill should declare required binaries (node) and these tools, or include/install them.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond reading an optional local product-marketing-context file. There are no apparent secret-exfiltration requests in the SKILL.md itself.
Persistence & Privilege
always is false and there's no install that writes persistent components. disable-model-invocation is false (normal). The skill does not request elevated or persistent privileges or modify other skills' config.
What to consider before installing
This skill's instructions are broadly consistent with market research, but it expects to run local Node helper scripts (tools/clis/exa.js and tools/clis/firecrawl.js) and to scrape external report pages. Before installing or enabling the skill: 1) Confirm the agent environment actually has Node and those helper scripts, or ask the publisher to include an install spec or bundled tools. 2) If those scripts exist, review their source to see what they do (network endpoints they call, whether they exfiltrate data, what files they read). 3) Decide whether it's acceptable for the agent to read the optional .agents/product-marketing-context.md file from its workspace. If you cannot confirm the provenance and behavior of the helper scripts, treat this skill as higher risk and avoid enabling it until the missing dependencies/install steps are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cpy8tmcqd2wapc7j1ad4fq58341re

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments