Skillv1.0.0

ClawScan security

Competitor Spy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 9:37 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are coherent with a competitive-intelligence web-scraping tool and do not request unrelated credentials or installs.
Guidance: This skill appears internally consistent for public competitive research: it only instructs fetching public pages and synthesizing findings and doesn't ask for credentials or install anything. Things to consider before installing: (1) the SKILL.md suggests using Google cache to access pages that block scraping — that may violate some sites' terms of service or legal restrictions, so avoid using it against targets you don't have permission to analyze; (2) the source and owner are unknown and there's no homepage—if you need provenance, ask the publisher for more info; (3) if you plan to analyze sites behind logins or use paid third-party APIs (SimilarWeb, Alexa), those will require credentials that the skill does not request now — be cautious about supplying any secrets later; (4) consider keeping this skill user-invocable only (do not grant broad autonomous scopes) to prevent large-scale automated scraping. If the package later includes code, install steps, or requests credentials, re-evaluate as those would materially change the risk profile.

Purpose & Capability: okName and description match the instructions: fetching public pages, extracting tech, pricing, SEO, and producing reports. No unrelated binaries, env vars, or installs are requested.
Instruction Scope: noteRuntime instructions are focused on public web scraping and analysis (web_fetch, web_search, Google cache, LinkedIn/Twitter, SimilarWeb). One noteworthy guidance suggests trying Google cache if scraping is blocked — this is a minor red flag because it explicitly recommends a means to bypass site blocks; otherwise instructions do not ask the agent to read local files, secrets, or unrelated system state.
Install Mechanism: okInstruction-only skill with no install spec or packaged code. This minimizes on-disk risk — nothing is downloaded or installed by the skill itself.
Credentials: okNo environment variables, credentials, or config paths are requested, which is proportionate for a tool that analyzes public web pages. The skill does suggest consulting third-party services (SimilarWeb/Alexa) but does not request API keys.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes or persistent presence. Default autonomous invocation is allowed (platform default) but not escalated.