ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China company search fengniao

v1.0.0

China company search and business registry skill by Fengniao (Riskbird). Supports KYB, supplier verification, company due diligence, corporate risk screening...

0· 137·0 current·0 all-time
by@elijah-pi

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for elijah-pi/china-company-search-fengniao.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "China company search fengniao" (elijah-pi/china-company-search-fengniao) from ClawHub.
Skill page: https://clawhub.ai/elijah-pi/china-company-search-fengniao
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: FN_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install china-company-search-fengniao

ClawHub CLI

Package manager switcher

npx clawhub@latest install china-company-search-fengniao
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included tools.json, reference docs, and client code: the package calls Riskbird/Fengniao endpoints for company search and risk dimensions. Declared capabilities (fuzzy search, B1–D11 etc.) align with the endpoints listed in tools.json and the reference field documents.
!
Instruction Scope
SKILL.md and SETUP.md instruct the agent to use discover/call and to avoid exposing internal entid. However, the runtime client.call() returns the raw API JSON (which includes entid and other internal IDs) — the code does not enforce the SKILL.md rule to redact entid. Also SKILL.md asks the agent to 'convert English names to Chinese' before using biz_fuzzy_search, but no translation step is implemented in the code. These are functional/instruction mismatches that could lead to unintended data exposure or incorrect queries.
Install Mechanism
No install spec is present; the package is instruction+scripts only. Code is plain JS (Node 18+). There are no remote downloads or archive extracts. Risk from installation is low, but the runtime will execute bundled Node code if the agent runs it.
Credentials
Only one optional env var (FN_API_KEY) is referenced. The package contains a hard-coded built-in public API key (BUILTIN_KEY) used as fallback; this matches SKILL.md. Hardcoding a public key is not necessarily malicious but means requests will run under a shared key (quota, tracking). The client sends credentials as a URL parameter (apikey), which is consistent with the docs but can be observable in logs/refs — worth noting.
Persistence & Privilege
Registry flags show no always:true, and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request to modify other skills, system config, or persist its own settings beyond reading environment and package files.
What to consider before installing
This package appears to implement the advertised China company search functionality and only asks for one optional environment variable (FN_API_KEY). Before installing: (1) be aware a built-in public API key is hard-coded — usage will hit a shared daily quota and may be visible to the service operator; prefer setting your private FN_API_KEY if you have one. (2) The runtime client returns raw API responses (including internal entid values) but SKILL.md requires entid be hidden — ensure the agent or calling code will redact entid before showing output. (3) The skill instructs converting English names to Chinese but provides no automatic translation — expect fuzzy search failures if you pass English names. (4) Running the skill executes Node scripts (Node 18+); review code and test in a controlled environment. These mismatches are likely sloppy design rather than malicious, but they create a risk of accidental data exposure or unexpected quota usage — proceed only after addressing the redaction and key-management points.
!
scripts/client.mjs:2
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
FN_API_KEYrequired
latestvk9739519b8b3c2f1vk6jqpsjdn842j0f
137downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@elijah-pi
latest
Download

China Company Search | Fengniao by Riskbird

Fengniao is a China company intelligence skill backed by Riskbird commercial data. It covers business registration, shareholders, executives, outbound investments, registry changes, and a full suite of risk signals — enforcement records, dishonest debtor lists, consumption restrictions, abnormal operations, serious violations, and administrative penalties.

Use discover to find the right data tool, call to retrieve structured data.

Setup: Works out of the box — no configuration needed. A built-in public API key is included. If you have a paid account, set FN_API_KEY as an environment variable and it will take priority. API credentials are passed via URL parameter apikey, not HTTP headers.

Quota: The built-in public key has a daily usage limit (200 calls). Check remaining quota at https://www.riskbird.com/skills. When the API returns code=9999 with a message containing "访问已达上限", the daily quota is exhausted — configure a private key or retry the next day.

Note on search: The fuzzy search endpoint only matches Chinese company names. If the user provides an English name or translation, convert it to the Chinese official name before calling biz_fuzzy_search.

Supported Data Dimensions

  • Company fuzzy search: Match by short name or full name, returns entid
  • Basic info: Legal rep, registered capital, incorporation date, unified social credit code, address, business scope, industry
  • Shareholders: Names, shareholding ratios, contribution amounts, types
  • Executives: Directors, supervisors, senior management, legal representative
  • Outbound investments: Portfolio companies with shareholding and status
  • Registry changes: Historical changes to legal rep, address, capital, etc.
  • Court enforcement (被执行人): Forced execution records
  • Dishonest debtors (失信被执行人): Blacklist records
  • Consumption restrictions (限制高消费): Court-ordered consumption bans
  • Abnormal operations (经营异常): Regulatory abnormal operation listings
  • Serious violations (严重违法): Serious illegal conduct records
  • Administrative penalties (行政处罚): Regulatory fines and penalties
  • Due diligence report: Structured report synthesizing all available dimensions

Current capabilities are defined in tools.json; field details in references/field_definitions_*.md.

Discovery Scope

This skill covers any China company search or risk check need. If a user asks about a dimension not yet supported (e.g., patents, tenders, job listings), still trigger this skill — but clearly state "this dimension is not yet supported" during execution. Do not fabricate results.

Usage Workflow

  1. Identify what dimension the user needs before searching for the company.
  2. Use discover to find the relevant tool (e.g., "shareholder structure", "administrative penalty").
  3. Confirm the tool exists, then call biz_fuzzy_search to get the entid.
  4. Entity disambiguation (required): If the company name is ambiguous or abbreviated, ask the user to confirm which company before proceeding. Never assume uniqueness.
  5. All dimension queries use entid — do not pass company names or credit codes directly.
  6. For multi-dimension requests (due diligence, risk screening), resolve the entity once and reuse the same entid.
  7. Person-to-company lookup: If the user provides a person's name (e.g., "what companies does Elon Musk own"), interpret it as "companies where this person is the legal representative." Clarify if there are multiple people with the same name.

Output Rules

  • Only show real data returned by the API — never fabricate
  • Do not expose entid to the user — it is an internal query ID
  • Always use the full official registered company name, not abbreviations
  • Clearly separate Fengniao structured data from any WebSearch supplementary content
  • If a dimension has no records, state "no records found" explicitly
  • If a dimension is not yet supported, state "not supported in the current version"

Error Recovery

  • code=9999, not quota-related: check if the built-in key is valid, or configure a private FN_API_KEY
  • code=9999 + "访问已达上限": daily public quota exhausted — use a private key or retry tomorrow
  • code=8888: usually invalid entid or params — re-fetch the company entity and retry
  • code=20000 + no records: this company has no records for this dimension
  • discover no match: try synonyms; if still no match, the dimension is not yet supported

Troubleshooting priority: API key / quota / network → entity resolution (entid) → update skill (openclaw skills update china-company-search-fengniao-en).

Quick Start

# 1. Discover tools by dimension
node scripts/tool.mjs discover "shareholder structure"

# 2. Fuzzy search for a company (must use Chinese name)
node scripts/tool.mjs call biz_fuzzy_search --params '{"key":"腾讯"}'

# 3. Query a dimension using entid
node scripts/tool.mjs call biz_shareholders --params '{"entid":"AerjZTfkSh0"}'

Comments

Loading comments...