Official skill for upkuajing (跨境魔方). Find companies (找公司) and global people (找人) data. Get business registration, background info, and contact details (Email...
Security Analysis
high confidenceThe skill's code, requirements, and runtime instructions are internally consistent with a data‑search API client that needs an UPKUAJING_API_KEY and Python; nothing in the package suggests it is doing unrelated credential access or hidden exfiltration.
Name/description (company & person search) match the included scripts and API references. Required binary (python) and required env var (UPKUAJING_API_KEY) are appropriate and declared as the primary credential. The only dependency (httpx) is reasonable for HTTP API calls.
SKILL.md instructs the agent to read/write ~/.upkuajing/.env for the API key and to require explicit user confirmation before performing billable operations — that matches the scripts' design (auth.py can create/save keys). However, the enforcement of 'ask user before billable calls' is left to the agent workflow rather than enforced by the scripts (the scripts themselves run when invoked). Also, every API call triggers a version check (version_check.check_and_notify) which makes a network call to the provider's /api/skills/version endpoint and writes/reads a local version cache; this is an additional external request/telemetry step the SKILL.md does not prominently call out.
No install spec — code is shipped with the skill and depends on a single public Python package (httpx listed in requirements.txt). No remote arbitrary archives or obscure download URLs are used.
Only the UPKUAJING_API_KEY is required and declared as primaryEnv. The scripts read that key from the environment or ~/.upkuajing/.env and will write the file when creating a new key via auth.py. No unrelated credentials or config paths are requested.
The skill writes to the user's home directory (~/.upkuajing): an .env file for the API key, optional logs when ENABLE_API_LOGGING is enabled, and a version_cache.json for daily version checks. The skill is not forced to be always-enabled and does not alter other skills or system-wide settings, but it does create and use files under ~/.upkuajing.
Guidance
This package appears to be a straightforward client for the UpKuaJing API. Before installing, consider: 1) The skill will store your API key under ~/.upkuajing/.env if you use the built-in key creation — keep that file secure or set the key via environment variables instead. 2) The scripts make network calls to the API (normal) and also perform a daily version check to the provider (/api/skills/version) which writes a small cache file under ~/.upkuajing — if you are concerned about telemetry, review or disable that code. 3) The SKILL.md asks the agent to obtain explicit user confirmation before running any operation that incurs fees; the actual scripts will run when invoked, so ensure you (or your agent) follow that confirmation step to avoid unexpected charges. 4) Review legal/privacy implications of bulk contact/personnel lookups for your jurisdiction. 5) The registry/source homepage is not authoritative here — if this skill will be used with sensitive accounts or in production, verify the publisher and API endpoints with the official UpKuaJing developer documentation.
Latest Release
v1.0.6
**Summary:** Introduces a new version check script and clarifies script usage instructions. - Added a new version_check.py script to the scripts directory. - Updated documentation to emphasize using direct script invocation (e.g., python scripts/company_list_search.py) and prohibit compound shell commands (e.g., cd scripts && ...). - No changes to existing APIs or billing logic. - Incremented version to 1.0.6.
More by @warmc
Published by @warmc on ClawHub
