← Back to Skills Marketplace
beyondbright

Walter Competitor

by beyondbright · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
71
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install walter-competitor
Description
亚马逊竞品流量攻防智能分析。自动发现竞品、分析流量结构、识别弱点、生成攻击矩阵。无需手动提供ASIN,全自动竞品情报获取。
Usage Guidance
This skill bundles working code that expects you to install and configure a third‑party CLI (mcporter) with a SellerSprite secret, but the package metadata doesn't declare those requirements — that's a red flag. The code runs mcporter via subprocess.run(..., shell=True) and builds shell commands from input values without robust escaping: untrusted or specially crafted keywords could lead to command injection. Before installing or running it: - Confirm you trust the skill author and SellerSprite service. The owner is unknown and there is no homepage. - Do not supply production credentials or secrets until you understand where they'll be stored. The skill expects a secret-key in mcporter config (or URL) but does not declare an environment variable or secure storage mechanism. - Consider running the code in an isolated environment (VM/container) and review/modify the sellersprite_mcp.run_mcporter call to avoid shell=True or to properly escape/encode arguments. - Ask the author to: (1) declare required binaries and credentials in metadata, (2) remove shell usage or add safe escaping, and (3) document what data is sent to external endpoints and retention policies. Given these mismatches and the subprocess usage, treat this skill as suspicious until the above issues are resolved or you can audit and sandbox its execution.
Capability Analysis
Type: OpenClaw Skill Name: walter-competitor Version: 1.0.0 The skill bundle contains a critical shell injection vulnerability in `scripts/sellersprite_mcp.py`. The `run_mcporter` function executes system commands via `subprocess.run(shell=True)` using unsanitized string concatenation of arguments in the `_call` method, which allows for potential remote code execution (RCE) if the agent processes malicious user input. While the core logic in `scripts/traffic_analysis_v2.py` and `scripts/unified_data_layer_v2.py` appears legitimately designed for Amazon competitor analysis, the insecure implementation of the MCP bridge poses a significant security risk.
Capability Assessment
Purpose & Capability
The skill claims to auto-discover Amazon competitors and produce attack/ROI plans — the bundled Python code uses a SellerSprite MCP client (mcporter) to call many third‑party APIs, which is coherent with the stated purpose. However the registry metadata declares no required binaries or credentials while the code explicitly expects the mcporter CLI configured with a secret-key (example URL in comments). The missing declaration of that dependency/credential is an inconsistency.
Instruction Scope
SKILL.md + bundled scripts instruct use of the unified data layer and many remote API calls to collect competitor intelligence. The code will send user inputs (keyword, ASINs) and many internal API calls to external SellerSprite endpoints. The runtime uses subprocess.run(..., shell=True) to call mcporter, and argument construction does not reliably escape or validate strings — creating a risk that crafted inputs could lead to shell injection. The instructions do not document required credentials or how sensitive data is handled.
Install Mechanism
There is no install spec in the registry metadata, but sellersprite_mcp.py explicitly documents installing an npm global tool (mcporter) and configuring it with a secret-key URL (https://mcp.sellersprite.com/...). Relying on a globally installed CLI that must be configured with a secret is a high-friction/un-declared install requirement and increases risk because the skill invokes that CLI via shell commands.
Credentials
The skill declares no required environment variables or primary credential, yet operation requires a SellerSprite secret (shown in header comments and mcporter config example) and network access to third‑party endpoints. The absence of declared required credentials is disproportionate and hides that sensitive API keys / secrets (entered into mcporter config or URL) are necessary and will be used by the skill.
Persistence & Privilege
The skill is not always:true and does not request persistent system-wide privileges in metadata. It caches API responses in-memory only. Autonomous invocation is allowed (default) but that is normal for skills; no evidence the skill alters other skills or global agent configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install walter-competitor
  3. After installation, invoke the skill by name or use /walter-competitor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Major update: Skill upgraded from 1.0.0 to 2.0.0 with full automation and deeper competitor analysis. - Now fully automates competitor discovery—no manual ASIN input required. - Adds step-by-step analyses: automatic competitor detection, traffic breakdown, keyword attack/defense matrix, and competitor weakness mapping. - Outputs detailed battle plans, from instant attack (P0) to long-term strategies (P2), tailored budgets, and ROI scenarios. - Streamlines user input to just keyword and price (margin optional). - Provides actionable insights and auto-generated, executable ad strategies for Amazon competitors.
Metadata
Slug walter-competitor
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Walter Competitor?

亚马逊竞品流量攻防智能分析。自动发现竞品、分析流量结构、识别弱点、生成攻击矩阵。无需手动提供ASIN,全自动竞品情报获取。 It is an AI Agent Skill for Claude Code / OpenClaw, with 71 downloads so far.

How do I install Walter Competitor?

Run "/install walter-competitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Walter Competitor free?

Yes, Walter Competitor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Walter Competitor support?

Walter Competitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Walter Competitor?

It is built and maintained by beyondbright (@beyondbright); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments