Skillv1.0.0

ClawScan security

competitor-monitor-weekly · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 1:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill mostly does what it says (weekly competitor scraping and reporting) but contains inconsistencies around declared credentials/config and depends on other skills and webhooks that could transmit scraped data — review before enabling.
Guidance: This Combo largely matches its description, but review before enabling: 1) Provide only the webhooks/API keys needed (Feishu/DingTalk/email SMTP/n8n) and verify their scopes; the registry incorrectly listed no required env vars but config expects FEISHU_WEBHOOK_URL and DINGTALK_WEBHOOK. 2) Inspect the dependent Skills (agent-reach, brave-search, paddleocr-doc-parsing, n8n-workflow-automation, self-improving-agent) to see what credentials they need and whether they transmit data externally. 3) Check the n8n workflow ('competitor-report-distribution') destination endpoints to ensure reports/data are sent only to trusted channels. 4) Review what 'self-improving-agent' records and whether it shares telemetry externally; consider disabling it if you don't want execution context sent off-host. 5) Confirm the local history path and retention (./data/competitor-reports, 90 days) meet your data-retention and privacy policies. 6) Because source/homepage is missing and owner is not recognizable, prefer testing in a sandbox environment with limited credentials before deploying to production.

Review Dimensions

Purpose & Capability: noteThe name/description (weekly competitor monitoring and distribution) aligns with the workflow, templates, and steps. It legitimately depends on platform crawlers, OCR, summarization, and an automation tool for distribution. Minor mismatches: SKILL.md lists no required env vars in registry metadata but the provided config.yaml references FEISHU_WEBHOOK_URL and DINGTALK_WEBHOOK; SKILL.md category is '图像' while the task is primarily web/text monitoring. These inconsistencies shouldn't be ignored.
Instruction Scope: noteRuntime instructions stay within the stated purpose: collect content via agent-reach and brave-search, parse with paddleocr, summarize, template a report, and push via n8n. The instructions do not ask the agent to read arbitrary system files or unknown env vars beyond what the config implies. Caveat: the 'self-improving-agent' step records execution metrics and could capture context/data beyond strict reporting needs — you should inspect what that skill records and where it sends data.
Install Mechanism: okInstruction-only skill with no install spec and no bundled code to execute — low direct install risk. However it orchestrates other skills (agent-reach, n8n, etc.) which themselves may install or require credentials; those should be inspected separately.
Credentials: concernRegistry metadata lists no required env vars, yet config.yaml uses environment variables for webhooks (FEISHU_WEBHOOK_URL, DINGTALK_WEBHOOK) and the SKILL.md also shows FEISHU_WEBHOOK. The skill will therefore require at least channel webhook/API credentials to function. That is proportionate to distribution functionality, but the omission from declared requirements is an inconsistency that could confuse operators. Also the skill depends on other Skills and '各平台 API 配置（如需要）' — those external credentials may be broad (social platform tokens, YouTube API keys, n8n credentials) and should be granted minimally and reviewed.
Persistence & Privilege: noteDoes not request always:true and is user-invocable. It keeps a local history by default (storage: ./data/competitor-reports, retention 90 days) and uses a self-improving agent to record metrics. These are reasonable for a monitoring skill but you should confirm storage location, retention, and whether any dependent skill uploads history or metrics to external services.