ClawHub

Competitive Intelligence & Market Research

v1.0.0

B2B SaaS competitive intelligence with 24 scenarios across Sales/HR/Fintech/Ops Tech

12· 5.2k·17 current·17 all-time
byShashwat Ghosh@shashwatgtm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, README, and SKILL.md are coherent: this is a purely instructional, template-driven competitive intelligence skill for B2B SaaS, and the files only describe research steps, templates, and checklists that fit that purpose.
Instruction Scope
The SKILL.md instructs the agent to run searches, mine public review sites (G2, Reddit, LinkedIn), and use templates — all within the stated scope. However the scanner detected prompt‑injection patterns (unicode-control-chars) inside SKILL.md which could be used to manipulate model behavior; that is out of scope for a purely instructional template and should be investigated.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest-risk install footprint — nothing is written or downloaded during install.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate for a template/instruction-only skill.
!
Persistence & Privilege
The skill is marked always:true in metadata, meaning it would be force-included in every agent run. Most skills do not need this; combined with the prompt-injection signal it increases the blast radius and is a legitimate concern.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contains hidden/unusual unicode control characters. For an instruction-only templates skill this is unexpected — such characters are often used in prompt-injection attacks to alter model instructions or hide malicious directives. Could be benign (formatting artefact) but should be reviewed and removed.
What to consider before installing
This skill appears to deliver exactly what it claims (competitive intelligence templates and workflows) and requests no credentials, which is good. However: (1) the skill's metadata sets always:true — that will cause the skill to be included in every agent session; it should not be necessary for an instructional template and increases risk. (2) the SKILL.md contains unicode control characters flagged by a scanner; hidden characters can be used to perform prompt injection (make the model ignore system prompts or follow hidden instructions). Before installing: ask the publisher why always:true is set and request its removal unless there is a clear justification; ask them to provide a cleaned SKILL.md without hidden unicode control characters (or sanitize it yourself by re-creating the file from visible text). If you still want to trial it, do so in a sandboxed or limited-permission environment, disable autonomous invocation / restrict skill use to explicit user invocation only, and do not supply any secrets or credentials while testing. If the author is unknown or cannot explain/remove the hidden characters and always:true, treat installation as higher risk and avoid enabling it globally.

Like a lobster shell, security has layers — review code before you run it.

b2bvk971sp0a7eeyqqnr45wmtfc9xs7zya3fcompetitive-analysisvk971sp0a7eeyqqnr45wmtfc9xs7zya3fgtmvk971sp0a7eeyqqnr45wmtfc9xs7zya3flatestvk971sp0a7eeyqqnr45wmtfc9xs7zya3fmarket-researchvk971sp0a7eeyqqnr45wmtfc9xs7zya3fsaasvk971sp0a7eeyqqnr45wmtfc9xs7zya3fsales-enablementvk971sp0a7eeyqqnr45wmtfc9xs7zya3f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments