Skillv1.0.0

ClawScan security

UpKuaJing contact validity check, verify phone numbers, email addresses, and domains for B2B lead qualification. UpKuaJing helps sales teams, recruiters, and traders validate contact data, reduce bounced emails, and improve outreach efficiency — essential for CRM data cleaning, candidate screening, and supplier verification. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 11:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it requires a single UpKuaJing API key and Python, calls UpKuaJing endpoints to validate phones/emails/domains, and stores minimal per-skill files under ~/.upkuajing.
Guidance: This skill appears to do what it says: validate phones, emails, and domains via UpKuaJing and requires only the UPKUAJING_API_KEY and Python. Before installing, consider: (1) API billing — all checks incur fees and the scripts may create payment orders or prompt you to top up; confirm you understand costs before confirming any fee-incurring action. (2) Persistence — the tool will read/write ~/.upkuajing/.env and a version cache under ~/.upkuajing; if you use the built-in 'apply for key' flow it will save a key to that file. (3) Logging — the code can log request/response bodies to ~/.upkuajing/logs if ENABLE_API_LOGGING is turned on; these logs could contain sensitive contact lists, so keep logging disabled or protect that directory. (4) Network activity — the client makes calls to openapi.upkuajing.com for validation and also performs a daily version check (posts skill name) on first API call. If you need more assurance, inspect the code yourself or run the scripts in a restricted environment, and avoid enabling logging if you plan to validate private contact data.

Review Dimensions

Purpose & Capability: okName/description, required env var (UPKUAJING_API_KEY), required binary (python), and the code all align: requests are sent to https://openapi.upkuajing.com and the scripts implement phone/email/domain validation. No unrelated cloud credentials or extraneous capabilities are requested.
Instruction Scope: noteRuntime instructions stay within scope: they call the published validation APIs and require explicit user-provided inputs. The SKILL.md instructs storing the API key in ~/.upkuajing/.env and to confirm fee-incurring operations. Note: make_request triggers a daily version-check network call (version_check) on first API request, which is unrelated to a single validation call but is documented in code.
Install Mechanism: okNo download/install spec is provided (instruction-only with included Python scripts). requirements.txt lists a single dependency (httpx). This is proportionate for a Python-based HTTP client. No remote arbitrary binary downloads or extract operations are present.
Credentials: noteOnly UPKUAJING_API_KEY is required (declared as primaryEnv) which is appropriate. The skill reads/writes files under ~/.upkuajing (/.env and version_cache.json) — expected but worth noting because the API key may be persisted to disk by the scripts when using the key-request flow. The code contains an API-logging facility that, if enabled, would log request and response bodies (potentially sensitive contact lists) to ~/.upkuajing/logs; logging is off by default (ENABLE_API_LOGGING = False).
Persistence & Privilege: notealways:false (no forced inclusion). The skill writes its own files under the user's home (~/.upkuajing) for API key persistence and version cache; this is normal for a CLI-like tool but is persistent filesystem access and should be expected by users. It does not alter other skills or system-wide agent settings.