company-search
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a coherent company-research skill that uses public web search/fetching, with some disclosed but important operational notes around shell fallback, optional third-party fetch proxies, and unpinned package setup.
This skill appears reasonable for public company research. Before installing, be aware that the local fallback may run Python commands, optional setup installs third-party Python packages, and non-direct fetch modes can send public URLs/page content through external services. Use an isolated environment and avoid using proxy fetch modes for private or internal pages.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled in an agent with shell access, the skill may run local Python commands to perform web searches or fetch pages.
The skill can fall back to shell-style execution of the bundled helper script when dedicated search/fetch tools are unavailable. This is disclosed and scoped to the local search_fetch.py workflow, but it still gives the agent a more powerful execution path than a pure instruction-only skill.
`bash` / `run_python` / shell 调用本地脚本
Allow shell fallback only when needed, keep it restricted to the bundled script, and review unusual commands before approving them.
A future dependency release could behave differently from the version originally intended by the skill author.
The optional setup installs unpinned Python packages. These dependencies are purpose-aligned for search, HTTP requests, parsing, and extraction, but unpinned installs can change over time.
"setup": "pip install ddgs requests beautifulsoup4 lxml trafilatura"
Install in an isolated environment and consider pinning or reviewing dependency versions before use.
If non-direct fetch strategies are used, public URLs and retrieved content may be visible to third-party services.
The helper can optionally route fetches through third-party services. The artifact clearly discloses this data flow and warns against sensitive/internal URLs, making it a purpose-aligned privacy note rather than a hidden exfiltration concern.
"jina" / "archive" / "auto-fallback": the target URL (and response content) passes through r.jina.ai or archive.org. Do NOT use these strategies for sensitive or internal URLs.
Use the default direct mode for ordinary fetching, and only use Jina or Archive for public pages that are acceptable to route through those services.