ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China company search 风鸟

v1.0.0

China company search and business registry skill by Fengniao (Riskbird). Supports KYB, supplier verification, company due diligence, corporate risk screening...

0· 113·0 current·0 all-time
by@xinshu001

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xinshu001/china-company-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "China company search 风鸟" (xinshu001/china-company-search) from ClawHub.
Skill page: https://clawhub.ai/xinshu001/china-company-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: FN_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install xinshu001/china-company-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install china-company-search
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included tools, endpoints, and reference docs. The package contains a local tools.json, search aliases, and client code that call the Riskbird/Fengniao API — all expected for a company-search/KYB skill. No unrelated credentials or binaries are required.
Instruction Scope
SKILL.md and SETUP.md limit runtime actions to discovering tools, calling the Riskbird API, and reading the skill's own files (tools.json and references). Instructions explicitly forbid fabricating results and instruct entity disambiguation. There are no instructions to read unrelated system files or to exfiltrate data beyond the declared API calls.
Install Mechanism
No install spec — the package is instruction/code-only and relies on Node.js (declared in SETUP). Code files are included but there is no remote download or extraction of arbitrary archives. Risk is low from an install perspective, though running the CLI requires Node.js.
Credentials
The skill optionally uses a single environment variable FN_API_KEY (declared in SKILL.md). That is proportional for a commercial API. Note: a built-in public API key is hard-coded in scripts/env.mjs as a fallback (daily quota ~200). Also the API key is sent via URL parameter (?apikey=...), which can expose it in logs or referrers — functionally necessary here but has minor privacy implications.
Persistence & Privilege
The skill does not request always:true and does not write to disk. SKILL.md shows auto_invoke:true (the skill can be autonomously invoked by the model), which is normal for many skills; it does not modify other skills or system configs.
Assessment
This skill appears coherent for China company lookups and KYB checks. Before installing, note: (1) the package includes a built-in public API key (scripts/env.mjs) with a small shared daily quota — consider setting your own FN_API_KEY if you have a paid account; (2) the key is sent as a URL parameter (apikey=...), which can appear in logs or referrer headers — using a private key reduces shared-usage risk; (3) the skill makes outbound requests to https://m.riskbird.com/prod-qbb-api — verify that you trust that endpoint and its data handling; (4) running the included CLI requires Node.js 18+. If you intend to deploy in a sensitive environment, consider forking to remove the hard-coded key and to pin or audit the code, or to replace the endpoint with an approved internal proxy.
!
scripts/client.mjs:2
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
FN_API_KEYrequired
latestvk97bf85yhrmavybx79xnnnx5w984dpbp
113downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@xinshu001
latest
Download

China Company Search | Fengniao by Riskbird

Fengniao is a China company intelligence skill backed by Riskbird commercial data. It covers business registration, shareholders, executives, outbound investments, registry changes, and a full suite of risk signals — enforcement records, dishonest debtor lists, consumption restrictions, abnormal operations, serious violations, and administrative penalties.

Use discover to find the right data tool, call to retrieve structured data.

Setup: Works out of the box — no configuration needed. A built-in public API key is included. If you have a paid account, set FN_API_KEY as an environment variable and it will take priority. API credentials are passed via URL parameter apikey, not HTTP headers.

Quota: The built-in public key has a daily usage limit (200 calls). Check remaining quota at https://www.riskbird.com/skills. When the API returns code=9999 with a message containing "访问已达上限", the daily quota is exhausted — configure a private key or retry the next day.

Note on search: The fuzzy search endpoint only matches Chinese company names. If the user provides an English name or translation, convert it to the Chinese official name before calling biz_fuzzy_search.

Supported Data Dimensions

  • Company fuzzy search: Match by short name or full name, returns entid
  • Basic info: Legal rep, registered capital, incorporation date, unified social credit code, address, business scope, industry
  • Shareholders: Names, shareholding ratios, contribution amounts, types
  • Executives: Directors, supervisors, senior management, legal representative
  • Outbound investments: Portfolio companies with shareholding and status
  • Registry changes: Historical changes to legal rep, address, capital, etc.
  • Court enforcement (被执行人): Forced execution records
  • Dishonest debtors (失信被执行人): Blacklist records
  • Consumption restrictions (限制高消费): Court-ordered consumption bans
  • Abnormal operations (经营异常): Regulatory abnormal operation listings
  • Serious violations (严重违法): Serious illegal conduct records
  • Administrative penalties (行政处罚): Regulatory fines and penalties
  • Due diligence report: Structured report synthesizing all available dimensions

Current capabilities are defined in tools.json; field details in references/field_definitions_*.md.

Discovery Scope

This skill covers any China company search or risk check need. If a user asks about a dimension not yet supported (e.g., patents, tenders, job listings), still trigger this skill — but clearly state "this dimension is not yet supported" during execution. Do not fabricate results.

Usage Workflow

  1. Identify what dimension the user needs before searching for the company.
  2. Use discover to find the relevant tool (e.g., "shareholder structure", "administrative penalty").
  3. Confirm the tool exists, then call biz_fuzzy_search to get the entid.
  4. Entity disambiguation (required): If the company name is ambiguous or abbreviated, ask the user to confirm which company before proceeding. Never assume uniqueness.
  5. All dimension queries use entid — do not pass company names or credit codes directly.
  6. For multi-dimension requests (due diligence, risk screening), resolve the entity once and reuse the same entid.
  7. Person-to-company lookup: If the user provides a person's name (e.g., "what companies does Elon Musk own"), interpret it as "companies where this person is the legal representative." Clarify if there are multiple people with the same name.

Output Rules

  • Only show real data returned by the API — never fabricate
  • Do not expose entid to the user — it is an internal query ID
  • Always use the full official registered company name, not abbreviations
  • Clearly separate Fengniao structured data from any WebSearch supplementary content
  • If a dimension has no records, state "no records found" explicitly
  • If a dimension is not yet supported, state "not supported in the current version"

Error Recovery

  • code=9999, not quota-related: check if the built-in key is valid, or configure a private FN_API_KEY
  • code=9999 + "访问已达上限": daily public quota exhausted — use a private key or retry tomorrow
  • code=8888: usually invalid entid or params — re-fetch the company entity and retry
  • code=20000 + no records: this company has no records for this dimension
  • discover no match: try synonyms; if still no match, the dimension is not yet supported

Troubleshooting priority: API key / quota / network → entity resolution (entid) → update skill (openclaw skills update china-company-search-fengniao-en).

Quick Start

# 1. Discover tools by dimension
node scripts/tool.mjs discover "shareholder structure"

# 2. Fuzzy search for a company (must use Chinese name)
node scripts/tool.mjs call biz_fuzzy_search --params '{"key":"腾讯"}'

# 3. Query a dimension using entid
node scripts/tool.mjs call biz_shareholders --params '{"entid":"AerjZTfkSh0"}'

Comments

Loading comments...