tianyancha-cn
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only company-search skill is coherent and benign, but users should notice that it relies on third-party APIs, API tokens, and an optional unpinned Python package.
This skill appears safe as an instruction-only reference for Chinese company information lookup. Before using it, confirm any API token is authorized for this use, understand possible API charges, avoid querying confidential targets unless provider terms are acceptable, and verify the optional Python package before installing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill with a real token may consume API quota, incur costs, or expose activity under the user's provider account.
The skill documents use of provider API tokens. This is expected for Tianyancha/Qichacha API access, but it means the agent may use the user's paid or rate-limited provider account.
# 需要 API Token curl "https://open.api.tianyancha.com/services/open/search/2.0?keyword=腾讯" \ -H "Authorization: YOUR_TOKEN"
Use only tokens intended for this purpose, monitor usage and billing, and avoid sharing long-lived secrets in contexts where they may be retained.
Installing an unverified or unpinned package could expose the user's environment to upstream package risks.
The skill suggests installing a third-party Python package without a pinned version or source verification. The setup is user-directed and purpose-aligned, but package provenance still matters.
# 第三方库 pip install tianyancha from tianyancha import Tianyancha
Verify the package source, consider pinning a trusted version, and install it in a virtual environment only if the SDK is actually needed.
The external provider can see searched company names and associate requests with the token/account used.
The documented workflow sends company search keywords and an authorization token to an external provider API. This is disclosed and central to the skill's purpose, but provider data handling is not described.
curl "https://api.qichacha.com/ECIV4/GetEnterpriseByName?keyword=腾讯" \ -H "Authorization: YOUR_TOKEN"
Do not query confidential targets unless the provider's terms, privacy practices, and account controls are acceptable.