ClawHub

Competitor Spy

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only competitor research skill that fetches public web pages and search results, with no code execution, persistence, credentials, or local data access.

Install only if you are comfortable with target domains or business names being used in external web requests and searches. Use it for public, permitted competitive research, respect site terms and blocking signals, avoid collecting personal or paywalled information, and avoid entering sensitive internal targets unless disclosure to third-party services is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to scrape multiple pages from third-party sites and aggregate competitive intelligence, but it provides no safeguards around consent, robots.txt, rate limiting, privacy, or terms-of-service compliance. This creates a real abuse risk because it operationalizes bulk collection from external targets in a way that could facilitate unauthorized or policy-violating reconnaissance.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The branding and trigger phrases repeatedly use covert framing such as 'Competitor Spy' and 'spy on,' which normalizes adversarial monitoring of third-party businesses and can encourage misuse. In context, this is more dangerous because the rest of the skill provides concrete instructions for reconnaissance and data extraction, making the deceptive framing part of an actionable collection workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal