firmenbuchat
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: firmenbuchat Version: 0.2.3 The skill bundle is benign. It provides a CLI wrapper for the Austrian company register (Firmenbuch) API. The `skill.md` file details standard installation methods (Homebrew, uv from GitHub) and usage instructions for the `firmenbuchat` CLI tool. All commands and configurations, including API key handling, are directly related to the stated purpose of interacting with the Firmenbuch service. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent beyond the intended execution of the described commands.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or user can make Firmenbuch service requests using the user's API key, which may affect account access, usage limits, or billing depending on the provider.
The skill expects use of a Firmenbuch service API key via config, environment variable, .env file, or direct CLI argument. This is expected for the service, but it gives the CLI access under the user's credential.
Setup (API-Key) - `firmenbuchat config set-key` - `export FIRMENBUCH_API_KEY="dein-key"` ... `-k, --api-key`: API-Key direkt übergeben
Use a dedicated API key if available, avoid passing secrets directly on the command line when possible, and remove the key with the documented config delete command when no longer needed.
Installing the skill means trusting the external firmenbuchat package source to provide the binary the skill will invoke.
Installation depends on an external Homebrew tap or GitHub package rather than code included in the skill artifact. This is typical for a CLI wrapper, but it is a supply-chain trust point.
"install":[{"id":"brew","kind":"brew","formula":"pasogott/tap/firmenbuchat"...},{"id":"uv","kind":"shell","command":"uv add git+https://github.com/pasogott/firmenbuch-aip.git"...}]Install only if you trust the referenced Homebrew tap/GitHub project, and prefer pinned or reviewed releases where available.
The skill can create local downloaded document files when asked to do so.
The CLI can download company-register documents and write them to a user-specified output path. This is directly aligned with the stated purpose and user-directed.
Download: `firmenbuchat urkunde download <URKUNDEN_KEY> [--output PATH]`
Choose output paths intentionally and review downloaded files before sharing them.