ClawHub

Enterprise Business Information Inquiry - 企业工商信息查询

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward read-only business information lookup skill that uses a Jisu API key and sends company queries to the disclosed Jisu API provider.

This skill looks coherent and read-only. Before installing, make sure you are comfortable providing a Jisu API key, having company lookup queries sent to JisuAPI, and trusting a package whose registry metadata does not list an upstream source or homepage.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Using the skill consumes the user's Jisu API account permissions and quota, and possibly paid usage depending on the user's plan.

Why it was flagged

The skill reads the user's Jisu API key from the environment and uses it as the appkey parameter for requests to the intended enterprise information API.

Skill content
appkey = os.getenv("JISU_API_KEY") ... all_params = {"appkey": appkey} ... requests.get(url, params=all_params, timeout=10)
Recommendation

Use a dedicated Jisu API key with only the needed API access, monitor quota/charges, and rotate the key if it is accidentally shared.

#
ASI07: Insecure Inter-Agent Communication
Info
What this means

Company search terms and identifiers entered by the user are shared with the Jisu API provider as part of normal operation.

Why it was flagged

Company names, registration identifiers, and the API key are sent to the disclosed third-party Jisu API endpoint to perform the requested lookup.

Skill content
BASE_URL = "https://api.jisuapi.com/enterprise" ... requests.get(url, params=all_params, timeout=10)
Recommendation

Avoid querying confidential company names or internal identifiers unless sharing them with the Jisu API service is acceptable.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less provenance information for deciding whether to trust the publisher, but the supplied artifacts do not show hidden installation or unreviewed remote code.

Why it was flagged

The registry metadata does not provide an upstream source or homepage for the skill package, although the included code itself is visible and no remote install step is present.

Skill content
Source: unknown; Homepage: none
Recommendation

Install only if you trust the ClawHub publisher or have reviewed the included SKILL.md and enterprise.py contents.