UpKuaJing Company and People Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent with its stated UpKuaJing company/people search purpose, but users should notice that it uses an API key, can spend account balance, and stores some results locally.
Before installing, verify this is the UpKuaJing skill you intend to use, protect the UPKUAJING_API_KEY, and approve each paid search or enrichment request only after reviewing the expected cost and result handling.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries or enrichment calls may reduce the user's UpKuaJing account balance if approved and run.
The skill can perform paid API calls, but the artifact also instructs the agent to stop and obtain explicit confirmation before fee-incurring operations.
**All API calls incur fees** ... **Any operation that incurs fees must first inform and wait for explicit user confirmation. Do not execute in the same message as the notification.**
Only approve searches after reviewing the expected number of calls, IDs, and cost; do not let the agent run paid calls without a separate confirmation.
Anyone with access to the API key could use the associated UpKuaJing account and balance.
The scripts read a service API key from the environment or local ~/.upkuajing/.env file and use it as a bearer credential for UpKuaJing API calls.
API_KEY_ENV = "UPKUAJING_API_KEY" ... UPKUAJING_ENV_FILE = UPKUAJING_DIR / '.env' ... headers["Authorization"] = f"Bearer {api_key}"Use a dedicated UpKuaJing API key, keep ~/.upkuajing/.env private, and revoke or rotate the key if it may have been exposed.
Search results may remain on disk after the task, where they could be reused or read later.
List-search results are appended to task result files and returned by file path, creating persistent local copies of retrieved business/person search data.
append_result_data(task_id, company_list) ... 'file_url': get_task_result_file(task_id)
Treat generated task result files as potentially sensitive and delete them when no longer needed.
Users may rely on the 'official' wording when deciding to provide an API key or follow payment links.
The registry metadata presents an official-skill claim while also showing unknown source and no registry homepage, so users should verify provenance before trusting payment or credential flows.
Description: Official skill for upkuajing ... Source: unknown; Homepage: none
Verify the publisher and UpKuaJing domain independently before entering credentials, creating keys, or topping up an account.