企业年金查询技能 Pro
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: pension-search-pro Version: 1.2.0 The skill bundle is a specialized OSINT tool designed to automate the search and reporting of corporate pension information in China. It utilizes shell scripts (search.sh and batch_search.sh) to interface with the Tavily API and generate structured Markdown reports based on a predefined list of organizations. While the SKILL.md contains highly prescriptive instructions for the AI agent (e.g., mandatory use of multiple search engines and PDF parsing), these actions are strictly aligned with the stated goal of pension verification and do not exhibit signs of data exfiltration, unauthorized access, or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user who expects enterprise-pension-only results may receive reports influenced by occupational-pension searches or classifications.
The script explicitly searches for and reports occupational-pension content, contradicting SKILL.md's repeated claim that the skill only queries enterprise pensions and does not query occupational pensions.
"$company_name 企业年金 职业年金" ... "# $company_name - 企业年金/职业年金调查报告" ... pension_type="职业年金"
Remove occupational-pension search terms and report fields, or clearly update the description and require user confirmation for the broader scope.
Company names and search terms may be sent to multiple search providers, and the agent may browse many result pages or PDFs.
The skill mandates broad external searching and browsing. This is aligned with an investigation/reporting skill, but it is forceful and may involve many external requests.
Tavily API(必须先用) ... 8 个关键词组合全部搜索 ... 4 个搜索引擎都必须用,不能跳过任何一个 ... 逐个访问前 20 条链接
Let users limit search engines, depth, and PDF fetching, especially for sensitive or non-public research topics.
A Tavily API key may be consumed and transmitted to Tavily when the script runs.
The script reads Tavily API keys from an environment variable or local key file and sends the selected key to Tavily. This is expected for Tavily search but should be clearly documented.
keys_file="$SCRIPT_DIR/../tavily_keys.txt" ... elif [ -n "$TAVILY_API_KEY" ]; then ... "api_key": "$api_key"
Use a scoped Tavily key, prefer environment variables over local key files, and ensure credential requirements are declared in the registry metadata.
Users may install the skill without realizing it expects curl, jq, and optionally a Tavily API key.
The packaged metadata declares dependencies and environment configuration, while the registry summary says there are no required binaries or env vars. This is not hidden execution, but the setup contract is inconsistent.
"requires": { "bins": ["curl", "jq"], "env": { "TAVILY_API_KEY": "推荐,Tavily 搜索 API", "SEARXNG_URL": "可选,SearXNG 本地实例" } }Align registry metadata, _meta.json, and scripts so required tools and optional credentials are clearly disclosed.