Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
competitive-intel
v1.0.0Real-time competitive intelligence and market research using Bright Data's web scraping infrastructure. Analyzes competitors' pricing, features, reviews, hir...
⭐ 1· 36·0 current·0 all-time
byMeir Kadosh@meirk-brd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (competitive intelligence via Bright Data) matches use of a web-scraping CLI, but the metadata claims no required binaries or credentials while the SKILL.md explicitly requires installing and running the Bright Data CLI and using tools like jq/xargs. Declaring 'no env vars / no API keys' contradicts the practical need for Bright Data authentication and any platform credentials.
Instruction Scope
Runtime instructions direct the agent to run remote installer (curl | bash), run bdata commands (search, scrape, pipelines), parallelize shell calls, pipe outputs to jq/xargs, and write output files. The instructions assume access to system shell, network, and interactive login (bdata login) but do not declare where credentials come from, nor do they declare required binaries like jq. The instructions also explicitly tell the agent to run arbitrary network calls and collect wide-ranging web data — which is expected for this skill but the missing credential handling and broad file/command usage are scope gaps.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs users/agents to run an installation command that downloads and executes a script from https://cli.brightdata.com/install.sh (curl | bash). That domain appears to be the vendor's official CLI host (lower risk than a random IP), but piping a remote script to a shell is high-risk behavior in general and the skill does not document verification (checksums, pinned release, or manual review).
Credentials
The skill declares no required environment variables or primary credential, yet the workflow depends on Bright Data CLI which requires authentication (the SKILL.md calls for 'bdata login'). Additionally, example workflows assume availability of other CLI utilities (jq, xargs) and ability to write files. The lack of declared credentials or config paths is disproportionate to what the instructions require and omits where sensitive tokens would be stored or how they are protected.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges via the registry metadata. It is instruction-only and does not modify other skills' configs. However, because the SKILL.md tells agents to install a third-party CLI that writes to disk, the skill could create installed binaries on the host if followed — this is an operational concern but not a registry-declared privilege.
Scan Findings in Context
[no_regex_findings] unexpected: Static regex scanner found nothing to analyze — this is expected because the skill is instruction-only (no code files). Absence of findings does not mean the instructions are safe.
What to consider before installing
This skill tells the agent to install and run Bright Data's CLI and to execute many shell commands, but it does not declare that credentials or helper tools are needed — that mismatch is concerning. Before installing or enabling this skill: 1) Don't run the curl | bash installer blindly — review the installer script and prefer manual installation or a verified release (checksums/pinned versions). 2) Confirm how Bright Data authentication will be provided and where sensitive tokens will be stored; the skill omits any env vars or config paths. 3) If you allow the agent to run this, sandbox it (restricted account/container) because the agent will perform network I/O and write files. 4) Verify availability of required CLI utilities (jq, xargs) and whether running 'bdata login' requires interactive credentials you are comfortable providing. 5) Consider using a human-in-the-loop for initial runs to confirm commands and outputs, or ask the skill author to update metadata to declare required binaries and credentials and to provide safer install instructions (pinned releases, checksum verification).Like a lobster shell, security has layers — review code before you run it.
latestvk979qysah7mxx1v9cvbmtmb8t583z2vv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.