白牛企业信息查询(China Company Search Bainiu)
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: bainiu-enterprise-data-query Version: 1.0.1 The skill is a legitimate enterprise data query tool for the Bainiu Data API (skillapi.bainiudata.com). The included Node.js scripts (call.js, find_tool.js, env.js) use standard libraries to perform authenticated HTTPS requests and manage configuration via .env files. There is no evidence of malicious intent, data exfiltration of sensitive system files, or prompt injection designed to subvert the agent's behavior beyond its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may choose among provider-defined tools that are not fully enumerated in the local documentation.
The agent relies on a remotely discovered tool catalog and can pass arbitrary key=value parameters to the selected provider tool. This is disclosed and central to the skill's purpose, but users should review the returned tool and parameters.
工具列表会持续动态更新,实际可用工具以 `find_tool.js` 查询结果为准。 ... `node scripts/call.js <tool-id> key1=value1 key2=value2`
Check the find_tool.js result before calling a tool, especially the tool description, required parameters, and whether the requested query is appropriate.
A stored API key can authorize usage of the user's Bainiudata account or quota, and a parent .env file could be used if it contains BAINIU_API_KEY.
The skill reads a provider API key from the environment or a .env file, including parent-directory lookup. This is expected for authenticated API access, but it is still a sensitive credential.
const ENV_API_KEY = 'BAINIU_API_KEY'; ... 从当前脚本所在目录开始,逐级向上遍历父目录(最多5层)寻找.env文件。
Use a dedicated, least-privilege API key if possible; store it in the skill's own .env file; avoid placing unrelated credentials in parent .env files; rotate the key if exposed.
Company names, search intent, and related query parameters may be visible to the external provider.
The user's query intent is posted to Bainiudata's external API. This provider communication is disclosed and purpose-aligned, but users should be aware of the data flow.
const API_HOST = 'https://skillapi.bainiudata.com/'; ... formData.append('keyword', keyword);Do not submit confidential query terms or non-public business information unless you are comfortable sharing it with the provider under its terms.