Malaysian Business Lookup (SSM)
v1.0.0Look up Malaysian company registration data from SSM. Returns directors, status, filings, business type.
⭐ 0· 259·0 current·0 all-time
by@wms2537
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code's declared functionality (look up Malaysian SSM data). The declared required env var (SKILLPAY_API_KEY) aligns with the built-in billing call. However, the code queries a third‑party backend (SSM_API_BASE = https://ssm-api.swmengappdev.workers.dev) rather than an official SSM API; the SKILL.md does not disclose that a non‑official service will receive all queries.
Instruction Scope
The runtime instructions are minimal, but the implementation sends the user's query (name or registration number) to an external worker endpoint. The SKILL.md does not mention this external endpoint or who operates it. Data (company queries) will be transmitted off‑platform to that third party — users should be informed about where queries go and how results are sourced and stored.
Install Mechanism
There is no install spec and no downloads. The skill is instruction/code only and appears intended to run as a Cloudflare Worker (wrangler.toml present). No installers or archive downloads were found.
Credentials
Only SKILLPAY_API_KEY is required, and this is used by the code to charge the caller via chargeUser(). Requiring a billing API key is proportionate to the advertised per‑call pricing. No unrelated credentials or broad filesystem paths are requested.
Persistence & Privilege
The skill is not always‑on and does not request elevated platform privileges. It does not modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other high‑risk privileges.
Scan Findings in Context
[EXTERNAL_HOST_SWMENGAPPDEV] unexpected: The lookup implementation posts queries to https://ssm-api.swmengappdev.workers.dev — a third‑party endpoint rather than an official SSM endpoint. This is not disclosed in SKILL.md; users may reasonably expect direct official data or a disclosed proxy.
[CHARGE_USER_BILLING] expected: The code calls chargeUser(...) and requires SKILLPAY_API_KEY; this aligns with the advertised $0.05 per call pricing via SkillPay.me and is expected for a paid skill.
[CLOUDFLARE_WORKER_MANIFEST] expected: wrangler.toml with an account_id indicates the code is set up as a Cloudflare Worker. That's consistent with how the included endpoint is hosted.
What to consider before installing
This skill will charge users (SKILLPAY_API_KEY is required) and sends every query to a third‑party worker (ssm-api.swmengappdev.workers.dev) rather than an official SSM endpoint. Before installing: 1) Confirm you trust the operator (who runs the swmengappdev worker) and understand their data handling/privacy and retention policies. 2) Ask the publisher where the SSM data is sourced from and whether it’s licensed/scraped lawfully. 3) Consider testing with non‑sensitive queries first and review returned data for accuracy. 4) If you must protect query confidentiality, do not provide SKILLPAY_API_KEY or block outbound network calls to unknown hosts. If the publisher can document provenance or point to a well‑known official API/proxy, that would reduce the risk.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🏢 Clawdis
EnvSKILLPAY_API_KEY
latest
Malaysian Business Lookup (SSM)
Query Malaysian company registration data. Returns structured company information.
Usage
Input:
query: Company name or registration number (e.g., "202001012345" or "Petronas")type: "name" or "registration_number" (default: auto-detect)
Output:
- Company name and registration number
- Business type (Sdn Bhd, Bhd, Enterprise, LLP, etc.)
- Status (Active, Dormant, Dissolved, etc.)
- Incorporation date
- Registered address
- Directors list
- Nature of business (SSM section/division codes)
Pricing
$0.05 USDT per call via SkillPay.me
Comments
Loading comments...