Competitor Teardown
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal competitive-research guide, but it asks users to install and log into a third-party CLI and send research queries to external services.
This skill is coherent for competitive research and has no code files or static scan findings. Before installing or using it, verify the inference.sh CLI installer, understand the infsh login/account implications, and avoid sending confidential internal strategy or private data to the external search and browser apps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill's recommended CLI gives code from an external domain access to run during setup.
The skill tells the user to install a third-party CLI by piping a remote script to the shell. This is disclosed and user-directed, but it is still an external installer path users should verify.
curl -fsSL https://cli.inference.sh | sh && infsh login
Use the manual install and checksum verification path if possible, and only install the CLI if you trust inference.sh.
An agent using the skill could run infsh commands beyond the specific examples, depending on what the infsh CLI supports.
The skill permits Bash use of any `infsh` command, while the examples focus on specific research apps. The broad wildcard is purpose-aligned but less tightly scoped than the documented workflows.
allowed-tools: Bash(infsh *)
Review infsh commands before approving them, especially anything outside search, extraction, or screenshot workflows.
The skill may operate under the user's inference.sh account or session when running research commands.
The skill expects login to the inference.sh CLI, even though registry metadata declares no primary credential. This appears necessary for the external service but should be visible to users.
infsh login
Log in with the intended account only, and understand what permissions and billing may apply to infsh app runs.
Competitor names, target URLs, and potentially sensitive business research questions may be sent to external services.
The skill sends queries, URLs, and browsing tasks to third-party or hosted apps through the infsh CLI. This is central to the competitive-research purpose, but it creates an external data boundary.
infsh app run tavily/search-assistant --input ...; infsh app run exa/search --input ...; infsh app run infsh/agent-browser --input ...
Avoid including confidential product strategy, private customer data, or nonpublic business information in prompts sent through these provider apps.