Cnpj Lookup

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do what it claims: look up Brazilian CNPJ company records through disclosed public APIs, with local caching and no credential requirements.

Before installing, be comfortable with CNPJ queries being sent to the listed public APIs and with results being cached locally. If provenance is important, review the bundled script because the registry does not list a source homepage.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The CNPJ number being searched, along with the user's network metadata, may be visible to the selected public API provider.

Why it was flagged

The script makes network requests to fixed public CNPJ API providers, which is expected for this lookup skill and matches the documentation.

Skill content

"brasilapi": "https://brasilapi.com.br/api/cnpj/v1/{}", "cnpjws": "https://publica.cnpj.ws/cnpj/{}", "opencnpj": "https://api.opencnpj.org/{}"

Recommendation

Use the skill for CNPJ values you are comfortable querying through public services, and check provider terms or privacy expectations if needed.

Low

#ASI06: Memory and Context Poisoning

What this means

Past lookup results may remain on disk locally and could be reused in later runs until the cache expires or is deleted.

Why it was flagged

Lookup results are cached locally for a default 24-hour TTL; the cached data can include company contact details and QSA partner names returned by the public APIs.

Skill content

CACHE_DIR = BASE_DIR / ".cache"
DEFAULT_TTL = int(os.environ.get("CNPJ_LOOKUP_TTL_SECONDS", 86400))

Recommendation

Clear the skill's .cache directory if you do not want lookup results retained locally, especially on shared machines.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less external context for verifying the publisher or comparing the bundled code against an upstream project.

Why it was flagged

The registry metadata does not provide an upstream source or homepage, limiting independent provenance verification even though the supplied artifacts are coherent.

Skill content

Source: unknown
Homepage: none

Recommendation

Review the bundled files before installation and prefer trusted publishers or reproducible source links when provenance matters.