ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Competitor Trial Monitor

v0.1.0

Monitor competitor clinical trial progress and alert on market risks

0· 114·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md states multiple data sources (ClinicalTrials.gov, EU register, WHO ICTRP) and alert channels (e.g., Feishu) and lists dependencies (requests, python-dateutil). The included script, however, only queries ClinicalTrials.gov via urllib and writes local JSON alert files/prints to console. Declared features and dependencies do not match the code, which suggests documentation drift or incomplete/incorrect implementation.
Instruction Scope
Runtime instructions map to the provided CLI and filesystem paths (~/.openclaw/competitor-trial-monitor). The script performs network calls to clinicaltrials.gov (expected) and reads/writes only to its own data directory. It does not read unrelated system files or request environment variables. However SKILL.md implies external alert delivery (Feishu) and other registries that the script does not implement; the agent instructions therefore overstate scope.
Install Mechanism
This is an instruction-only skill with no install spec. The only executable artefact is the included Python script; nothing is downloaded or installed automatically by the skill bundle.
Credentials
The skill requests no environment variables, credentials, or config paths beyond writing into a per-user directory under the user's home (~/.openclaw/...). No secrets are requested. This is proportionate to the stated purpose.
Persistence & Privilege
always:false and the skill does not request system-wide changes or modify other skills. It stores state only under the user's home directory in a dedicated path.
What to consider before installing
This skill appears to be a mostly-local monitor that fetches data from ClinicalTrials.gov and stores alerts in ~/.openclaw/competitor-trial-monitor. The main concern is inconsistency between the documentation and the code: SKILL.md advertises EU/WHO registries, Feishu alerts, and requires requests/python-dateutil, but the script only uses urllib and only queries ClinicalTrials.gov and prints/saves alerts locally. Before installing or running: 1) Review the full script to ensure there are no hidden network endpoints (the provided portion looks clean but confirm the truncated part). 2) If you expect multi-registry monitoring or push notifications (Feishu), verify those implementations or add them intentionally; do not assume they exist. 3) Consider running the script in a sandboxed account or container (so it only writes to the dedicated data directory) and monitor outbound network traffic. 4) If you will share sensitive competitor identifiers, be aware the data is stored under your home directory—move the storage to a controlled workspace or encrypt it if needed. If these mismatches worry you or you need the additional features, ask the author for an updated release or seek a variant whose code and docs align.

Like a lobster shell, security has layers — review code before you run it.

latestvk975qe6ngyszt2tdk5hz0nygfn834wdt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments