v1.0.6

UpKuaJing Company and People Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

The skill is coherent with its stated UpKuaJing company/people search purpose, but users should notice that it uses an API key, can spend account balance, and stores some results locally.

GuidanceBefore installing, verify this is the UpKuaJing skill you intend to use, protect the UPKUAJING_API_KEY, and approve each paid search or enrichment request only after reviewing the expected cost and result handling.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

**All API calls incur fees** ... **Any operation that incurs fees must first inform and wait for explicit user confirmation. Do not execute in the same message as the notification.**

The skill can perform paid API calls, but the artifact also instructs the agent to stop and obtain explicit confirmation before fee-incurring operations.

User impactQueries or enrichment calls may reduce the user's UpKuaJing account balance if approved and run.

RecommendationOnly approve searches after reviewing the expected number of calls, IDs, and cost; do not let the agent run paid calls without a separate confirmation.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

metadata

Description: Official skill for upkuajing ... Source: unknown; Homepage: none

The registry metadata presents an official-skill claim while also showing unknown source and no registry homepage, so users should verify provenance before trusting payment or credential flows.

User impactUsers may rely on the 'official' wording when deciding to provide an API key or follow payment links.

RecommendationVerify the publisher and UpKuaJing domain independently before entering credentials, creating keys, or topping up an account.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/common.py

API_KEY_ENV = "UPKUAJING_API_KEY" ... UPKUAJING_ENV_FILE = UPKUAJING_DIR / '.env' ... headers["Authorization"] = f"Bearer {api_key}"

The scripts read a service API key from the environment or local ~/.upkuajing/.env file and use it as a bearer credential for UpKuaJing API calls.

User impactAnyone with access to the API key could use the associated UpKuaJing account and balance.

RecommendationUse a dedicated UpKuaJing API key, keep ~/.upkuajing/.env private, and revoke or rotate the key if it may have been exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/company_list_search.py

append_result_data(task_id, company_list) ... 'file_url': get_task_result_file(task_id)

List-search results are appended to task result files and returned by file path, creating persistent local copies of retrieved business/person search data.

User impactSearch results may remain on disk after the task, where they could be reused or read later.

RecommendationTreat generated task result files as potentially sensitive and delete them when no longer needed.