Skillv1.0.0

ClawScan security

Company Scan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 2:45 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested resources align with its stated purpose (querying 亿欧/iyiou company data and returning structured results); it runs a bundled Python script that calls a public API and writes output to a temp file, and it does not request unrelated credentials or system access.
Guidance: This skill will execute the bundled Python script (scripts/search_companies.py) which posts search queries to https://api-open-data.iyiou.com and writes results to a temp file that the agent then reads and shows you. It does not request credentials or system config. Before installing, consider: 1) Are you comfortable the skill will make network calls to an external service (iyiou)? 2) Don't pass sensitive secrets or private data as search terms because those will be sent to the external API. 3) If you need offline or air-gapped operation, this skill will not work. If you want higher assurance, review the full script (already included) to confirm there are no additional network endpoints or behaviors beyond the documented API calls.

Purpose & Capability: okName/description (company scanning by industry/region/funding) match the provided script and SKILL.md: the script posts JSON queries to an iyiou search endpoint and renders results as Markdown. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope: okSKILL.md stays on-task: it specifies how to parse user intent into search parameters, run the bundled Python script, require --output-temp to write results to the system temp directory, then read that file. It does not instruct the agent to read unrelated files or pull other credentials. Note: the runtime will execute the included Python code and perform network calls to the stated API.
Install Mechanism: okNo install spec (instruction-only) and no third-party installers are used. The skill does include executable Python code bundled with the skill; running it executes network I/O and writes a temp file, which is expected for this functionality.
Credentials: okThe skill requests no environment variables, no secrets, and no config paths. The network calls go to iyiou endpoints (consistent with the stated data source). No disproportionate credential access is requested.
Persistence & Privilege: okalways is false and the skill does not request persistent presence or attempt to modify other skills or system-wide settings. It allows normal autonomous invocation (platform default), which is expected for an actionable skill.