Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to query public company info from sources like 企查查/天眼查; the implementation instead proxies queries through a third‑party service (api.tavily.com). Using an aggregator is plausible, but the code also lists an unused dependency (node‑fetch) in package.json — a minor mismatch but not directly harmful.
Instruction Scope
SKILL.md instructs the agent/user to run npm install and execute qichacha.js — that matches the included code. The README references direct data sources (企查查/天眼查) but the runtime actually sends search queries to Tavily; SKILL.md does not mention this external service or the embedded API key.
Install Mechanism
There is no formal install spec, but SKILL.md tells users to run npm install in the skill directory. package-lock.json records dependencies and resolved tarball URLs that point to mirrors.tencentyun.com via plain HTTP; fetching packages over HTTP increases tampering risk. Also the code does not use the declared dependency (node‑fetch), so npm install will pull unused packages.
Credentials
The skill requests no user credentials, which is reasonable, but it hard‑codes a Tavily API key inside qichacha.js. Embedding a third‑party API key in source is unexpected (and could expose that key or allow the maintainer to observe all queries). The skill does not require or ask for the user's credentials — which reduces direct exfil risk — but the presence of a secret in code is a proportionality/privacy concern.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable only. It does perform network calls at runtime (to api.tavily.com), which is expected for a lookup skill.
What to consider before installing
Before installing or running this skill: 1) Review qichacha.js yourself (or have someone you trust do so) — it contains a hard‑coded Tavily API key; consider removing or rotating that key if you control it. 2) Be aware that running npm install will fetch dependencies and package tarballs (package-lock.json points to HTTP mirrors), which increases the risk of tampered packages — prefer running in a sandbox or verifying package integrity. 3) If you require guarantees about data handling, prefer skills that ask you to provide your own API credentials (instead of embedding a vendor key) or that call the official public sites directly. 4) If unsure, do not run npm install or run the script on an isolated machine/container and monitor outbound network traffic (api.tavily.com).Like a lobster shell, security has layers — review code before you run it.
latest
企查查 - 企业信息查询
根据公司名称查询企业的完整信息,包括基本信息和知识产权。
安装依赖
cd ~/.openclaw/skills/qichacha
npm install
使用方法
# 查询企业
./qichacha.js "公司名称"
# 示例
./qichacha.js "腾讯"
./qichacha.js "阿里巴巴"
./qichacha.js "深圳市图灵机器人有限公司"
输出内容
【基本信息】
- 企业名称、统一社会信用代码
- 法定代表人、企业类型、经营状态
- 注册资本、实缴资本、成立日期
- 注册地址、联系电话
- 经营范围
【知识产权】
- 专利信息
- 商标信息
- 著作权信息
【数据来源】
- 企查查、天眼查、爱企查链接
注意事项
- 信息来源于公开数据,可能存在延迟
- 部分信息需要登录才能查看
- 企业名称越精确,结果越准确
- 如需更完整信息,请访问提供的链接
Comments
Loading comments...