企业工商信息查询
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may allow the agent to run the included Node-based code for this integration.
The skill requests local Node execution capability. This is broad, but it matches the Node/TypeScript client implementation and no hidden or destructive command path is shown.
`Bash(node:*)`: 允许执行 Node.js/TypeScript 代码
Use the skill only from a trusted install source and keep agent use limited to the documented company-information query workflow.
The token can consume or access the user's Qixinbao API quota for enterprise information queries.
The client reads the Qixinbao API token from the environment and sends it as the API authentication header. This is expected for the stated service and there is no evidence of token logging or unrelated transmission.
const DEFAULT_API_TOKEN = process.env.QXBENT_API_TOKEN ... 'x-api-token': apiToken
Use a dedicated, revocable API token with the minimum needed access, and avoid exposing the environment variable in logs, screenshots, or shared shell profiles.
A future install could receive a newer compatible axios release from npm.
The skill depends on an npm package with a semver range. This is normal for a Node API client, but it means installation may fetch dependency code from npm rather than relying only on the reviewed files.
"dependencies": { "axios": "^1.6.0" }Install from a trusted registry and consider using a lockfile or pinned dependency version in controlled environments.