Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
China company search fengniao
v1.0.2企业查询、工商查询、公司查询、企业信息查询与企业风险查询 Skill。风鸟 Fengniao(Riskbird)支持查公司基本信息、法人、股东、主要人员、对外投资、工商变更、企业信用,以及被执行、失信、限高、经营异常、严重违法、行政处罚等风险数据,适用于企业尽调、合作方背景调查、供应商准入、客户风险识别、签约前核...
⭐ 1· 140·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implemented tools and endpoints. The package exposes company-search tools (fuzzy search, basic info, shareholders, risks) and only needs an API key for the Riskbird service (optional env FN_API_KEY). No unrelated services or credentials are requested.
Instruction Scope
SKILL.md and CLI instruct discovery then API calls using entid, require explicit disambiguation for ambiguous names, and forbid showing internal entid. Runtime behavior is limited to reading the skill’s local files and calling the Riskbird endpoints; it does not instruct reading user home files or other unrelated system state.
Install Mechanism
No install spec or external download is used. The package includes local Node.js scripts (client.mjs, tool.mjs, env.mjs) that perform network requests; nothing is fetched or executed from arbitrary external URLs at install time.
Credentials
Only one credential shape is used: an optional FN_API_KEY; if absent the code falls back to a built-in shared API key embedded in scripts/env.mjs. That is reasonable for a public-demo skill but has privacy/usage implications (shared quota, publisher tracking via fixed channel). No unrelated secrets or env vars are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not write files or modify other skills/configuration. The agent can invoke the skill autonomously (platform default), which is normal for skills.
Assessment
This skill appears to do exactly what it claims: query the Riskbird (风鸟) APIs for Chinese company and risk data. Before installing, note two practical points: (1) the package contains a built-in/shared API key (hard-coded) and a fixed channel parameter — the skill will use that key by default and is subject to the shared daily quota; if you prefer privacy or a dedicated quota, set FN_API_KEY in your environment to your own key, (2) the skill makes outbound requests to https://m.riskbird.com/prod-qbb-api (no other external endpoints) and reads only files bundled with the skill. If you are uncomfortable with autonomous agent invocation, restrict or review agent permissions; otherwise this package is internally consistent with its stated purpose.scripts/client.mjs:2
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk9783yn6yhsge79x3tyn9bm73n84htqw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
FN_API_KEYrequired