Fx Base
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a disclosed Feima API helper, but it requires an API key and sends request data to Feima's backend.
This skill is a small shared API helper and does not show malicious behavior in the provided artifacts. Before installing it, confirm you trust Feima's API service and review any dependent skills, because they decide what request data is sent using your FX_AI_API_KEY.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A dependent skill can authenticate requests to Feima's backend using the user's configured API key.
The helper reads the user's API key from the environment and sends it as an authentication header to the configured Feima API. This is expected for the stated purpose, but it is sensitive credential use.
const key = process.env.FX_AI_API_KEY; ... 'Fx-Ai-Api-Key': `Bearer ${key}`Only set FX_AI_API_KEY if you trust the Feima platform and the dependent skills that will call this helper; keep the key out of logs and shared prompts.
Data supplied to dependent skills may leave the local environment and be processed by Feima's service.
The documentation clearly discloses that user-provided data is sent to an external provider for processing. This is purpose-aligned, but it crosses a data boundary.
用户提供的数据会被发送到 `https://api-ai-brain.fenxianglife.com` 进行处理
Review dependent skills to understand what data they send, and avoid using this helper with sensitive data unless the provider's policies meet your needs.