Official skill for upkuajing (跨境魔方). Find companies (找公司) and global buyers using customs trade data. Get trade order details, business contact info, and lea...
Security Analysis
high confidenceThe skill's code, runtime instructions, and required credentials match its stated purpose (searching UpKuaJing customs/trade data) and do not request unrelated system access.
Name/description, required binary (python), and required env var (UPKUAJING_API_KEY) align with the included scripts and documented API endpoints. All declared requirements are appropriate for a client of the UpKuaJing Open Platform.
SKILL.md and the scripts only instruct the agent to call the UpKuaJing API, manage an API key stored at ~/.upkuajing/.env, run local Python scripts, and handle paging/fees. There is no instruction to read arbitrary system files or exfiltrate data outside the UpKuaJing endpoints. The skill will store API keys and logs in ~/.upkuajing and task data under the skill directory as described.
This is an instruction-only skill with no external install spec. requirements.txt includes only httpx, a reasonable dependency for HTTP calls. Nothing is downloaded from untrusted URLs or written to system locations beyond the skill-specific dirs.
Only UPKUAJING_API_KEY is required and is the primary credential; scripts read/write a local ~/.upkuajing/.env file as documented. No unrelated credentials or secrets are requested.
always is false and the skill does not request elevated system privileges. It writes its own cache, logs (if enabled), and task files under ~/.upkuajing or the skill's task_data directory, which is normal for this type of client tool.
Guidance
This skill appears to be what it claims: a Python client for the UpKuaJing Open Platform. Before installing, ensure you trust the UpKuaJing service and are comfortable providing an API key. Note that: - The skill will store your API key in ~/.upkuajing/.env (or read it from the UPKUAJING_API_KEY environment variable). Keep that file protected. - API calls are billed; the scripts enforce confirming operations that incur fees, but you should verify pricing on the provider site and confirm before bulk queries or batch contact fetches. - The code performs a daily version check by POSTing to the provider's /api/skills/version endpoint and writes a small cache file in ~/.upkuajing; if you prefer no remote checks, you can disable or modify that behavior in scripts/version_check.py. - Optional logging can record request/response JSON into ~/.upkuajing/logs if ENABLE_API_LOGGING is set to True in common.py (it defaults to False). If you need higher assurance, run the scripts in a controlled environment and inspect network traffic to confirm calls go only to openapi.upkuajing.com.
Latest Release
v1.0.6
- Added a new script: scripts/version_check.py. - Documented a best practice in SKILL.md: always use direct script invocation (e.g. python scripts/xxx.py), and do not use compound commands like cd scripts && python xxx.py. - Updated skill version to 1.0.6.
More by @warmc
Published by @warmc on ClawHub
