Competitor Analyzer

Generates a detailed report on a company's market position, pricing, social activity, recent news, and strengths by analyzing its name or URL.

This skill does what it claims (runs web searches and writes a report), but the bundled analyze.sh is unsafe to run with untrusted input because it interpolates the user-supplied company string directly into python -c, allowing arbitrary Python code execution. Before using: 1) Do not run the script on inputs from untrusted sources or external agents. 2) Fix the injection by passing the query as a python argument instead of embedding it in code. Example safe replacement: replace the call python3 -c "import urllib.parse; print(urllib.parse.quote('$query'))" with python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" -- "$query" (or URL-encode with a POSIX-safe tool) so the query is passed as argv rather than injected into the code string. 3) Update SKILL.md to list python3 as a required binary and mention that the script writes competitor-report-*.md to the current directory. 4) Run the script in a sandbox or throwaway directory until you (or someone you trust) audits it. If you cannot patch or audit the script, treat the skill as unsafe and avoid installing/invoking it from untrusted agents.

Type: OpenClaw Skill Name: shelly-competitor-analyzer Version: 1.0.0 The `analyze.sh` script contains a shell injection vulnerability within its `search` function. The `python3 -c "import urllib.parse; print(urllib.parse.quote('$query'))"` command is susceptible to arbitrary code execution if the `$query` variable (derived from user input) contains unescaped single quotes, leading to a potential Remote Code Execution (RCE) risk. While this is a critical vulnerability, there is no clear evidence of intentional malicious behavior such as data exfiltration or persistence, aligning it with a 'suspicious' classification rather than 'malicious'.