ClawHub

Enterprise Contact Information Query - 企业联系方式查询

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: enterprisecontact Version: 1.0.4 The skill is a straightforward implementation for querying enterprise contact information via the JisuAPI service. The Python script (enterprisecontact.py) correctly handles environment variables for the API key and performs standard HTTP GET requests to a legitimate endpoint (api.jisuapi.com) without any signs of malicious execution, data exfiltration, or obfuscation.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Queries may use the user's JisuAPI account quota or paid allowance.

Why it was flagged

The skill reads the user's JisuAPI credential from the environment and uses it to authenticate provider requests; this is disclosed and aligned with the stated integration.

Skill content
appkey = os.getenv("JISU_API_KEY") ... params = {"appkey": appkey}
Recommendation

Use a dedicated JisuAPI key where possible, keep it out of chat messages and logs, and monitor quota or billing.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Company lookup terms are shared with JisuAPI, and returned results may contain business or personal contact details.

Why it was flagged

The skill sends company identifiers such as company name, credit number, registration number, or organization code to an external provider API.

Skill content
QUERY_URL = "https://api.jisuapi.com/enterprisecontact/query" ... requests.get(QUERY_URL, params=params, timeout=10)
Recommendation

Avoid using the skill for confidential lookup targets unless JisuAPI's terms and privacy handling are acceptable; redact personal contact data when responding.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users have limited provenance information for the skill author or upstream repository.

Why it was flagged

The skill metadata does not provide an upstream source or homepage for the skill package, though the included code is small and no install-time execution is present.

Skill content
Source: unknown; Homepage: none
Recommendation

Review the included script before installing and prefer trusted publishers or repositories for production use.