← 返回 Skills 市场
Walter Competitor
作者
beyondbright
· GitHub ↗
· v1.0.0
· MIT-0
71
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install walter-competitor
功能描述
亚马逊竞品流量攻防智能分析。自动发现竞品、分析流量结构、识别弱点、生成攻击矩阵。无需手动提供ASIN,全自动竞品情报获取。
安全使用建议
This skill bundles working code that expects you to install and configure a third‑party CLI (mcporter) with a SellerSprite secret, but the package metadata doesn't declare those requirements — that's a red flag. The code runs mcporter via subprocess.run(..., shell=True) and builds shell commands from input values without robust escaping: untrusted or specially crafted keywords could lead to command injection. Before installing or running it:
- Confirm you trust the skill author and SellerSprite service. The owner is unknown and there is no homepage.
- Do not supply production credentials or secrets until you understand where they'll be stored. The skill expects a secret-key in mcporter config (or URL) but does not declare an environment variable or secure storage mechanism.
- Consider running the code in an isolated environment (VM/container) and review/modify the sellersprite_mcp.run_mcporter call to avoid shell=True or to properly escape/encode arguments.
- Ask the author to: (1) declare required binaries and credentials in metadata, (2) remove shell usage or add safe escaping, and (3) document what data is sent to external endpoints and retention policies.
Given these mismatches and the subprocess usage, treat this skill as suspicious until the above issues are resolved or you can audit and sandbox its execution.
功能分析
Type: OpenClaw Skill
Name: walter-competitor
Version: 1.0.0
The skill bundle contains a critical shell injection vulnerability in `scripts/sellersprite_mcp.py`. The `run_mcporter` function executes system commands via `subprocess.run(shell=True)` using unsanitized string concatenation of arguments in the `_call` method, which allows for potential remote code execution (RCE) if the agent processes malicious user input. While the core logic in `scripts/traffic_analysis_v2.py` and `scripts/unified_data_layer_v2.py` appears legitimately designed for Amazon competitor analysis, the insecure implementation of the MCP bridge poses a significant security risk.
能力评估
Purpose & Capability
The skill claims to auto-discover Amazon competitors and produce attack/ROI plans — the bundled Python code uses a SellerSprite MCP client (mcporter) to call many third‑party APIs, which is coherent with the stated purpose. However the registry metadata declares no required binaries or credentials while the code explicitly expects the mcporter CLI configured with a secret-key (example URL in comments). The missing declaration of that dependency/credential is an inconsistency.
Instruction Scope
SKILL.md + bundled scripts instruct use of the unified data layer and many remote API calls to collect competitor intelligence. The code will send user inputs (keyword, ASINs) and many internal API calls to external SellerSprite endpoints. The runtime uses subprocess.run(..., shell=True) to call mcporter, and argument construction does not reliably escape or validate strings — creating a risk that crafted inputs could lead to shell injection. The instructions do not document required credentials or how sensitive data is handled.
Install Mechanism
There is no install spec in the registry metadata, but sellersprite_mcp.py explicitly documents installing an npm global tool (mcporter) and configuring it with a secret-key URL (https://mcp.sellersprite.com/...). Relying on a globally installed CLI that must be configured with a secret is a high-friction/un-declared install requirement and increases risk because the skill invokes that CLI via shell commands.
Credentials
The skill declares no required environment variables or primary credential, yet operation requires a SellerSprite secret (shown in header comments and mcporter config example) and network access to third‑party endpoints. The absence of declared required credentials is disproportionate and hides that sensitive API keys / secrets (entered into mcporter config or URL) are necessary and will be used by the skill.
Persistence & Privilege
The skill is not always:true and does not request persistent system-wide privileges in metadata. It caches API responses in-memory only. Autonomous invocation is allowed (default) but that is normal for skills; no evidence the skill alters other skills or global agent configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install walter-competitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/walter-competitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Major update: Skill upgraded from 1.0.0 to 2.0.0 with full automation and deeper competitor analysis.
- Now fully automates competitor discovery—no manual ASIN input required.
- Adds step-by-step analyses: automatic competitor detection, traffic breakdown, keyword attack/defense matrix, and competitor weakness mapping.
- Outputs detailed battle plans, from instant attack (P0) to long-term strategies (P2), tailored budgets, and ROI scenarios.
- Streamlines user input to just keyword and price (margin optional).
- Provides actionable insights and auto-generated, executable ad strategies for Amazon competitors.
元数据
常见问题
Walter Competitor 是什么?
亚马逊竞品流量攻防智能分析。自动发现竞品、分析流量结构、识别弱点、生成攻击矩阵。无需手动提供ASIN,全自动竞品情报获取。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 71 次。
如何安装 Walter Competitor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install walter-competitor」即可一键安装,无需额外配置。
Walter Competitor 是免费的吗?
是的,Walter Competitor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Walter Competitor 支持哪些平台?
Walter Competitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Walter Competitor?
由 beyondbright(@beyondbright)开发并维护,当前版本 v1.0.0。
推荐 Skills