Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
China company search wendaoyun
v1.0.11问道云企业信息查询工具,支持通过问道云 API 查询企业基本信息、经营信息、财务信息、舆情信息、企业各类风险指标等功能,当用户需要查询企业相关信息时触发。
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description, SKILL.md, references, and Python client all align: it calls WenDaoYun APIs to search companies and fetch details and requires an API key. Requesting an API key and reading two local config paths is appropriate for this purpose. However, metadata inconsistencies exist: registry.json and SKILL.md declare WENDAOYUN_API_KEY as required/primary credential, while the provided top-level 'Requirements' block reported no required env vars/primary credential. Version numbers also differ across files (registry.json 1.0.9, SKILL.md 1.0.10, registry metadata 1.0.11).
Instruction Scope
SKILL.md instructs a two-step flow (fuzzy search then user confirmation then detail API), and the Python client implements only API calls and local config/env reading. The instructions do not request unrelated files, broad system context, or transmit data to unexpected endpoints. All network calls target the documented base_url (https://h5.wintaocloud.com/prod-api/api/invoke).
Install Mechanism
No install spec is provided (instruction-only with an included client file). No downloads or archive extraction are defined. The only runtime dependency observed is Python 'requests' used in the client, which is expected for an HTTP client.
Credentials
The client legitimately requires a single API credential (WENDAOYUN_API_KEY) and reads config from ~/.config/wendao-yun/config.json or wendao-yun-config.json or the env var. That is proportional. The concern is the inconsistent packaging metadata: the top metadata claims 'no required env vars / no primary credential' while registry.json and SKILL.md require WENDAOYUN_API_KEY. This mismatch could lead to silent failures or misconfigured deployments and suggests the package was not properly prepared.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install scripts or persistent system-level changes. It only reads local config files and the environment for an API key, which is expected behavior.
What to consider before installing
This skill appears to implement exactly what it claims: a WenDaoYun API client that needs one API key and will call h5.wintaocloud.com. However, there are packaging inconsistencies you should address before installing: the registry and SKILL.md require WENDAOYUN_API_KEY but the top-level metadata omitted it, and file versions disagree. Actionable steps:
- Confirm you will provide WENDAOYUN_API_KEY (via env var or one of the two config paths) before enabling the skill.
- Verify the API base URL (https://h5.wintaocloud.com/prod-api/api/invoke) is the official WenDaoYun endpoint and that you trust it.
- Because the skill's source/owner and homepage are unknown, review scripts/api_client.py yourself (it is small) to ensure no hidden behavior; it currently only performs HTTP calls and local config reads.
- If you install, use a scoped API key with minimal privileges and monitor usage (the doc notes a 200 calls/day limit).
- Prefer contacting the skill author or requesting a corrected package (matching registry.json, SKILL.md, and published metadata) to resolve the version/metadata mismatch before granting any credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk970c22dpj3a0cpy4h43y90az984k6b3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.