Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
"author": "", "license": "MIT", "dependencies": { "axios": "^1.6.0" }, "devDependencies": { "@types/node": "^20.0.0",- Confidence
- 89% confidence
- Finding
- "axios": "^1.6.0"
企业股权穿透
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward enterprise equity-query skill with disclosed API-token use and external Qixin API calls, with dependency hygiene cautions but no hidden or destructive behavior found.
Install only if you are comfortable providing a Qixin API token and sending queried company names or enterprise IDs to Qixin's external API. For legal, investment, or compliance use, prefer enterprise ID lookup or verify the returned company name because fuzzy name matching may select the wrong entity. A pinned, updated axios version with a lockfile would improve reproducibility and dependency security.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more
High
- Category
- Supply Chain
- Confidence
- 97% confidence
- Finding
- axios==1.6.0
VirusTotal
64/64 vendors flagged this skill as clean.