ClawHub

Company search fengniao

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent, read-only company-risk lookup tool, but it sends company/person lookup queries and an API key to Riskbird’s external API.

This skill is reasonable to install if you want Riskbird company-risk lookups. Before using it, understand that your company/person search queries are sent to Riskbird, and if you provide your own FN_API_KEY it will be used in URL query parameters for those requests.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

If you configure your own Riskbird key, the skill will use it for API requests and consume your account quota.

Why it was flagged

The skill uses either a user-provided FN_API_KEY or a built-in public API key, which is expected for this provider integration and is disclosed in the documentation.

Skill content
const ENV_KEY = "FN_API_KEY";
const BUILTIN_KEY = "eab076c5-b108-4a3f-b2fb-d97039b1a447";
Recommendation

Use a dedicated API key with appropriate quota/permissions, and rotate it if it is exposed outside your environment.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Company names, person-name searches, and due-diligence lookup parameters may be visible to the Riskbird service and could appear in URL logs along the request path.

Why it was flagged

Company search terms, entid values, and the API key are sent to Riskbird over its external API as URL parameters; this is purpose-aligned and disclosed, but users should understand the data flow.

Skill content
const url = new URL(BASE_URL + tool.endpoint);
url.searchParams.set("apikey", apiKey);
Object.entries(params).forEach(([k, v]) => { if (v != null) url.searchParams.set(k, v); });
Recommendation

Avoid submitting confidential investigation targets unless you are comfortable with Riskbird receiving those queries; prefer a dedicated key and check the provider’s privacy terms.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less external provenance information to verify who maintains the package or where updates originate.

Why it was flagged

The package includes readable source and no external dependencies, but registry provenance is limited and local validation relies on included Node.js scripts.

Skill content
Source: unknown
Homepage: none
No install spec — this is an instruction-only skill.
Recommendation

Review the included source before use and install updates only from the trusted ClawHub registry entry.