tianyancha-cn
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tianyancha-cn Version: 1.0.0 The skill bundle is benign. It primarily consists of documentation (`SKILL.md`) describing how to query company information from legitimate third-party APIs (Tianyancha, Qichacha) using `curl` commands or a Python SDK. There is no executable code within the bundle, and the markdown instructions do not contain any prompt injection attempts, malicious commands, data exfiltration, or other harmful behaviors. The `_meta.json` and `package.json` files contain standard metadata.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill with a real token may consume API quota, incur costs, or expose activity under the user's provider account.
The skill documents use of provider API tokens. This is expected for Tianyancha/Qichacha API access, but it means the agent may use the user's paid or rate-limited provider account.
# 需要 API Token curl "https://open.api.tianyancha.com/services/open/search/2.0?keyword=腾讯" \ -H "Authorization: YOUR_TOKEN"
Use only tokens intended for this purpose, monitor usage and billing, and avoid sharing long-lived secrets in contexts where they may be retained.
Installing an unverified or unpinned package could expose the user's environment to upstream package risks.
The skill suggests installing a third-party Python package without a pinned version or source verification. The setup is user-directed and purpose-aligned, but package provenance still matters.
# 第三方库 pip install tianyancha from tianyancha import Tianyancha
Verify the package source, consider pinning a trusted version, and install it in a virtual environment only if the SDK is actually needed.
The external provider can see searched company names and associate requests with the token/account used.
The documented workflow sends company search keywords and an authorization token to an external provider API. This is disclosed and central to the skill's purpose, but provider data handling is not described.
curl "https://api.qichacha.com/ECIV4/GetEnterpriseByName?keyword=腾讯" \ -H "Authorization: YOUR_TOKEN"
Do not query confidential targets unless the provider's terms, privacy practices, and account controls are acceptable.