ClawHub
Back to skill
v1.0.0

Research Company

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:52 AM.

Analysis

The skill’s behavior matches its stated purpose of researching companies and generating a PDF, with only disclosed, purpose-aligned notes around web-sourced content, an unpinned package install, and local PDF-generation code.

GuidanceThis appears safe to use for its stated purpose. Before installing, expect it to use web/search tools, possibly install the ReportLab Python package, run the included PDF generator, and write a temporary JSON file plus the final PDF. Verify important business claims against sources and install dependencies from a trusted environment.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
WebFetch: [company URL]
WebSearch: "[company name] funding news 2024"
...
Extract from website: company name, industry, HQ, founded, leadership...

The report is built from arbitrary external websites and search results. This is the intended research workflow, but fetched pages are untrusted content that can influence the generated report.

User impactA company website or search result could shape what appears in the PDF, so inaccurate or manipulative source content may affect the report.
RecommendationVerify important claims and citations, and treat web page text as evidence to summarize rather than instructions to follow.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
# Install if needed
pip install reportlab

The skill relies on an unpinned third-party package install at use time. ReportLab is appropriate for the stated PDF-generation purpose, but it is not locked or declared in an install spec.

User impactInstalling packages during use can introduce dependency provenance and version-drift risk.
RecommendationInstall ReportLab from a trusted package source, preferably with a pinned version in a controlled environment.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
python3 scripts/generate_report.py /tmp/research_data.json /path/to/output/report.pdf

The workflow runs included local Python code and writes temp/output files. This is disclosed and matches the PDF-generation purpose, but users should still expect local command execution.

User impactThe skill will execute a local script to create the report PDF and write files to the chosen output location.
RecommendationRun it from the expected skill directory, use a workspace output path, and review the generated JSON when accuracy matters.