ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

company-search

v2.0.4

Multi-source company research tool that generates structured due-diligence reports. Use when the user asks to research, look up, or investigate a company — i...

0· 451·1 current·1 all-time
byfan@fan31415
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (multi-source company due diligence) align with the provided assets: an instruction-rich SKILL.md and a local Python fallback (search_fetch.py) that performs web search and page fetch/extraction. Required binary (python3) and declared pip dependencies (ddgs, requests, beautifulsoup4, lxml, optional trafilatura) are appropriate for web search and scraping.
Instruction Scope
Instructions are focused on searching and fetching public web sources and producing a strict structured report. They explicitly allow multiple fetch strategies and a fallback to a local script. Important: the documentation and the script permit using third-party reader proxies (r.jina.ai and archive.org) when direct fetching fails or when 'auto' is chosen; those services receive the target URL and (in the jina case) the page content. The skill does warn about not using proxies for internal/sensitive URLs, but using 'auto' without care could leak URLs/content to third parties.
Install Mechanism
No opaque remote installers or arbitrary binary downloads are used; dependencies are standard Python packages installable via pip (ddgs, requests, beautifulsoup4, lxml, optional trafilatura). package.json includes a setup script that runs pip install. This is moderate-risk (public packages), expected for this functionality. Minor inconsistency: registry metadata lists version 2.0.4 while package.json shows 2.1.0 — likely benign but worth noting.
Credentials
The skill requests no environment variables, no API keys, and no config paths. It does not require unrelated cloud credentials or secrets to perform its advertised task.
Persistence & Privilege
The skill is not forced-always, does not request elevated persistence, and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (platform normal) but not combined here with broad credential access.
Assessment
This skill appears coherent for public web-based company research. Before installing/using: - Be cautious with the FETCH 'auto' mode: it may send target URLs and page content to r.jina.ai or archive.org. Do not use auto/jina/archive on internal, intranet, paywalled, or otherwise sensitive URLs. Prefer 'direct' or the --no-third-party option. - If you run the local fallback (search_fetch.py), ensure you review and control the command-line strategy used; by default the script's CLI default is 'direct', but 'auto' will cascade to third-party proxies. - Installing requires pip packages; review and sandbox installs if you have strict policies. Verify the package versions you install match your trust requirements (noting a minor version mismatch in package.json vs registry metadata). - The skill scrapes public pages; respect robots/terms of service and applicable laws when scraping third-party sites. If you need paywalled or proprietary data, this skill cannot access those without appropriate credentials. - If you need stronger guarantees against data exfiltration, restrict fetches to direct-only and consider running the code in an isolated environment or review network egress rules.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cckwxt2qt3x15hbq7xsy5x581xk7k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython3

Comments