Competitor Radar
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its competitor-monitoring purpose, but it embeds an LLM API key and an undocumented helper script, so users should review it before use.
Review the hardcoded LLM endpoint and API key before installing. If you only want public-feed collection, run with --no-ai. Configure only feeds and organizations you intend to query, and avoid running the undocumented _write_radar.py helper unless you have inspected it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use an unknown embedded credential/account for AI scoring, making it unclear who controls the LLM access, billing, and prompt handling.
The skill embeds an API-key-like credential for the LLM call instead of declaring or requesting a user-controlled credential.
"x-api-key": "sk-RPBUoe2SH7KigJ0SZn6IPDirZtJ2fUaWSukEx1FwxjhWFx0G"
Replace the hardcoded key with a documented user-provided configuration or environment variable, and clearly document the LLM endpoint and model used.
Collected feed titles and related competitor-monitoring content may be sent to the local LLM gateway and possibly onward depending on that gateway's configuration.
AI scoring sends prompts to a local Anthropic-compatible LLM gateway; this is purpose-aligned, but the endpoint/model/data boundary is not disclosed in SKILL.md.
url = "http://127.0.0.1:18790/anthropic/v1/messages"
Use --no-ai if you do not want LLM scoring, and document whether the local gateway forwards data to an external provider.
If run manually, this helper could change the main script; it is not presented as part of the normal workflow.
The package includes an undocumented helper intended to write or regenerate radar.py, and it contains a second embedded radar implementation.
"""Helper script to write radar.py"""
Do not run _write_radar.py unless you have reviewed it; publishers should remove or clearly document generation helpers.