ClawHub
Back to skill

Security audit

competitor-alert-system

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only competitor monitoring skill whose public-source research and reports match its stated purpose, but users should set clear limits before enabling ongoing monitoring.

Before installing, decide exactly which competitors, sources, schedule, alert thresholds, and delivery channels are allowed. Require citations and timestamps in reports, avoid private or authenticated data unless authorized, and make sure ongoing monitoring can be stopped and stored records can be deleted or corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase at this line is broad enough to match ordinary business conversations, which can cause unintended skill activation. In a skill that performs external monitoring and report generation, accidental activation may lead to unnecessary collection of third-party information or user confusion about what actions the agent is taking.

Vague Triggers

Medium
Confidence
84% confidence
Finding
This trigger is highly generic and ambiguous, making it unreliable for safe activation boundaries. Because the skill is designed for ongoing competitor intelligence workflows, an imprecise trigger increases the chance that unrelated requests invoke monitoring behavior or produce surveillance-style outputs without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The phrase on this line can easily collide with routine business language, so the skill may activate in contexts where the user is only asking for general discussion. Given that the skill supports recurring monitoring and alerting, this broad match increases the risk of over-collection, mistaken task execution, and unintended handling of external-source data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes continuous monitoring, real-time alerts, and collection from multiple external sources, but it does not warn users about privacy, data-handling practices, retention, or legal/terms-of-service constraints. This is risky because monitoring workflows can aggregate personal or sensitive public data at scale, and users may not understand what is being collected, stored, or pushed onward.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal