ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mcp-company-search

v1.0.0

Search corporate registries across multiple jurisdictions via L402 API. Find companies by name and jurisdiction for due diligence, compliance, and business r...

0· 108·0 current·0 all-time
by@haveblue997

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for haveblue997/mcp-company-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "mcp-company-search" (haveblue997/mcp-company-search) from ClawHub.
Skill page: https://clawhub.ai/haveblue997/mcp-company-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: L402_API_BASE_URL
Required binaries: npx
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install mcp-company-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install mcp-company-search
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with a corporate-registry search tool. Requested binary (npx) is consistent with the SKILL.md example that launches an npm package. However, package/README author names differ (@vbotholemu vs. @blue-trianon) which is an internal inconsistency that reduces trust in provenance.
!
Instruction Scope
SKILL.md and metadata declare L402_API_BASE_URL as the required env var and show an npx command; the actual runtime code ignores L402_API_BASE_URL and instead reads NAUTDEV_BASE_URL (defaulting to https://api.nautdev.com). That means the declared required env var will have no effect unless the correct NAUTDEV_BASE_URL is set — a mismatch between instructions and implementation.
Install Mechanism
No formal install spec (instruction-only) but SKILL.md expects to run npx to fetch @vbotholemu/mcp-company-search. Running npx downloads and executes code from npm at runtime (moderate risk). The included source files look straightforward and only perform HTTP GETs, but npx means arbitrary package code will be fetched from the registry when invoked — verify the npm package publisher before running.
!
Credentials
Declared required env var is L402_API_BASE_URL (no secrets), which is proportionate if the goal is to override an API endpoint. But the code reads NAUTDEV_BASE_URL instead. There are no API keys or secret env vars requested by the skill, which is good, but the env-var name mismatch could cause the client to unintentionally point to the hardcoded default endpoint (api.nautdev.com).
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request elevated or persistent system privileges and does not modify other skills' configs. Autonomous invocation (disable-model-invocation false) is platform default and is not, by itself, a concern.
What to consider before installing
This package appears to implement a company-search MCP tool, but there are mismatches you should resolve before installing or running it. Specifically: (1) the SKILL metadata requires L402_API_BASE_URL but the code reads NAUTDEV_BASE_URL (so your override may be ignored and the tool will use https://api.nautdev.com by default); (2) package/README maintainers differ (@vbotholemu vs @blue-trianon) — confirm the actual npm package owner and trustworthiness; (3) SKILL.md expects to run npx, which will fetch and execute code from npm at runtime — only run npx for this package if you trust the publisher. Recommended actions: inspect the package on the npm registry (npmjs.com) and verify the publisher and recent publish history; if you control the runtime, set NAUTDEV_BASE_URL explicitly (or patch the code) so the intended endpoint is used; consider installing the package locally and reviewing its code rather than running npx directly; if unsure, ask the publisher to correct the env-var and README inconsistencies.
dist/index.js:7
Environment variable access combined with network send.
src/index.ts:7
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏢 Clawdis
Binsnpx
EnvL402_API_BASE_URL
latestvk974kd7qkqzc20kk7qd4j646x18408x7
108downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@haveblue997
latest
Download

Company Search (L402)

Search corporate registries across jurisdictions — find companies by name for due diligence and compliance.

Setup

{
  "mcpServers": {
    "company-search": {
      "command": "npx",
      "args": ["-y", "@vbotholemu/mcp-company-search"],
      "env": {
        "L402_API_BASE_URL": "https://api.nautdev.com"
      }
    }
  }
}

Tools

search_companies

Search companies by name within a jurisdiction.

ParameterTypeRequiredDescription
namestringyesCompany name to search
jurisdictionstringyesJurisdiction code

list_jurisdictions

List all supported jurisdictions and their codes.

When to Use

  • KYC / due diligence checks
  • Business partner verification
  • Compliance research
  • Corporate registry lookups

Comments

Loading comments...