B2B SaaS competitive intelligence with 24 scenarios across Sales/HR/Fintech/Ops Tech
Security Analysis
medium confidenceThe skill's content matches its claimed purpose (competitive intelligence templates and workflows), but two operational red flags — an always:true persistence setting and a detected prompt‑injection signal (unicode control characters) — make the package suspicious until those are explained or fixed.
Name, description, README, and SKILL.md are coherent: this is a purely instructional, template-driven competitive intelligence skill for B2B SaaS, and the files only describe research steps, templates, and checklists that fit that purpose.
The SKILL.md instructs the agent to run searches, mine public review sites (G2, Reddit, LinkedIn), and use templates — all within the stated scope. However the scanner detected prompt‑injection patterns (unicode-control-chars) inside SKILL.md which could be used to manipulate model behavior; that is out of scope for a purely instructional template and should be investigated.
Instruction-only skill with no install spec and no code files. Lowest-risk install footprint — nothing is written or downloaded during install.
The skill requests no environment variables, credentials, or config paths. That is proportionate for a template/instruction-only skill.
The skill is marked always:true in metadata, meaning it would be force-included in every agent run. Most skills do not need this; combined with the prompt-injection signal it increases the blast radius and is a legitimate concern.
Guidance
This skill appears to deliver exactly what it claims (competitive intelligence templates and workflows) and requests no credentials, which is good. However: (1) the skill's metadata sets always:true — that will cause the skill to be included in every agent session; it should not be necessary for an instructional template and increases risk. (2) the SKILL.md contains unicode control characters flagged by a scanner; hidden characters can be used to perform prompt injection (make the model ignore system prompts or follow hidden instructions). Before installing: ask the publisher why always:true is set and request its removal unless there is a clear justification; ask them to provide a cleaned SKILL.md without hidden unicode control characters (or sanitize it yourself by re-creating the file from visible text). If you still want to trial it, do so in a sandboxed or limited-permission environment, disable autonomous invocation / restrict skill use to explicit user invocation only, and do not supply any secrets or credentials while testing. If the author is unknown or cannot explain/remove the hidden characters and always:true, treat installation as higher risk and avoid enabling it globally.
Latest Release
v1.0.0
Initial release: B2B SaaS competitive intelligence skill with multi-dimensional guidance. - Supports 24 research scenarios across Sales, HR, Fintech, and Operations Tech sectors. - Covers different company stages (Series A–D+) and geographies (India, US, Global). - Step-by-step navigator helps users identify best practices for their vertical, stage, market, and team role. - Includes quick-start scenarios for common use cases (e.g., founder battle cards, PMM analysis, CMO market mapping). - Provides in-depth sample walkthrough for Sales Tech at Series A: competitor mapping, pricing research, positioning, and battle card synthesis.
More by @shashwatgtm
Published by @shashwatgtm on ClawHub
