Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
mcp-company-search
v1.0.0Search corporate registries across multiple jurisdictions via L402 API. Find companies by name and jurisdiction for due diligence, compliance, and business r...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with a corporate-registry search tool. Requested binary (npx) is consistent with the SKILL.md example that launches an npm package. However, package/README author names differ (@vbotholemu vs. @blue-trianon) which is an internal inconsistency that reduces trust in provenance.
Instruction Scope
SKILL.md and metadata declare L402_API_BASE_URL as the required env var and show an npx command; the actual runtime code ignores L402_API_BASE_URL and instead reads NAUTDEV_BASE_URL (defaulting to https://api.nautdev.com). That means the declared required env var will have no effect unless the correct NAUTDEV_BASE_URL is set — a mismatch between instructions and implementation.
Install Mechanism
No formal install spec (instruction-only) but SKILL.md expects to run npx to fetch @vbotholemu/mcp-company-search. Running npx downloads and executes code from npm at runtime (moderate risk). The included source files look straightforward and only perform HTTP GETs, but npx means arbitrary package code will be fetched from the registry when invoked — verify the npm package publisher before running.
Credentials
Declared required env var is L402_API_BASE_URL (no secrets), which is proportionate if the goal is to override an API endpoint. But the code reads NAUTDEV_BASE_URL instead. There are no API keys or secret env vars requested by the skill, which is good, but the env-var name mismatch could cause the client to unintentionally point to the hardcoded default endpoint (api.nautdev.com).
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request elevated or persistent system privileges and does not modify other skills' configs. Autonomous invocation (disable-model-invocation false) is platform default and is not, by itself, a concern.
What to consider before installing
This package appears to implement a company-search MCP tool, but there are mismatches you should resolve before installing or running it. Specifically: (1) the SKILL metadata requires L402_API_BASE_URL but the code reads NAUTDEV_BASE_URL (so your override may be ignored and the tool will use https://api.nautdev.com by default); (2) package/README maintainers differ (@vbotholemu vs @blue-trianon) — confirm the actual npm package owner and trustworthiness; (3) SKILL.md expects to run npx, which will fetch and execute code from npm at runtime — only run npx for this package if you trust the publisher. Recommended actions: inspect the package on the npm registry (npmjs.com) and verify the publisher and recent publish history; if you control the runtime, set NAUTDEV_BASE_URL explicitly (or patch the code) so the intended endpoint is used; consider installing the package locally and reviewing its code rather than running npx directly; if unsure, ask the publisher to correct the env-var and README inconsistencies.dist/index.js:7
Environment variable access combined with network send.
src/index.ts:7
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974kd7qkqzc20kk7qd4j646x18408x7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏢 Clawdis
Binsnpx
EnvL402_API_BASE_URL