Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Competitor Teardown
v0.1.5Structured competitive analysis with feature matrices, SWOT, positioning maps, and UX review. Covers research frameworks, pricing comparison, review mining,...
⭐ 0· 1.5k·5 current·5 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (competitor teardown) match the instructions: web search + screenshots + review mining. The commands and suggested outputs are consistent with that purpose and no unrelated credentials or capabilities are requested.
Instruction Scope
The runtime instructions direct the agent to install and use the inference.sh CLI and to run apps that search the web and take screenshots (infsh/agent-browser). That means scraped pages/screenshots will be processed by inference.sh infrastructure unless run locally — the SKILL.md does not clearly state what data is uploaded, retained, or who can access it. It also suggests capturing signup flows which could entail interacting with authentication pages or user credentials if the operator chooses to log in.
Install Mechanism
Installation is recommended via piping curl https://cli.inference.sh | sh which downloads a binary from dist.inference.sh. The README claims SHA-256 verification is available, but this is a direct download from a third‑party domain (not a widely known package host). That is a higher supply-chain risk than an instruction-only skill and should be verified manually before running.
Credentials
The skill declares no required env vars or credentials, but the instructions call out 'infsh login' — using the skill will require credentials for inference.sh (or other services invoked) which are not documented in metadata. There is no request for unrelated secrets, but you should assume account tokens will be created/stored by the CLI/service.
Persistence & Privilege
The skill does not request always: true or other elevated runtime privileges. Installing the third‑party CLI will add a binary and may persist credentials/config for that CLI, but the skill itself is instruction-only and does not claim to modify other skills or system-wide agent settings.
What to consider before installing
This skill does what it says (competitive research) but depends on a third‑party CLI (inference.sh) installed via curl | sh and runs remote apps that will likely send scraped pages and screenshots to that service. Before installing: verify the reputation and privacy policy of inference.sh, prefer manually downloading and verifying the binary (use the provided checksum file), avoid logging into sensitive accounts or uploading PII during screenshots, and consider alternatives that run locally (your own browser + local screenshot tools or trusted enterprise tooling). If you need stronger assurance, ask the skill author for a transparent explanation of what data is sent to inference.sh and how long it is retained.Like a lobster shell, security has layers — review code before you run it.
latestvk97cngh9hm09jxqd9j19ktn8t981cnyd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.