企业上市信息查询
PassAudited by ClawScan on May 8, 2026.
Overview
This appears to be a straightforward listed-company lookup skill that uses a Qixin API token and an npm HTTP dependency, with no hidden or destructive behavior found.
This skill is reasonable to install if you trust the Qixin API service and the npm dependency chain. Treat QXBENT_API_TOKEN as sensitive, prefer a dedicated token, and review returned company names when using fuzzy company-name searches.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your Qixin API token when making listed-company information queries.
The skill reads a local Qixin API token and attaches it to outbound API requests. This is expected for the stated service, but the token grants access to the user's API account/quota.
const DEFAULT_API_TOKEN = process.env.QXBENT_API_TOKEN ... 'x-api-token': apiToken
Use a dedicated or limited Qixin token if possible, keep it out of shared logs and repositories, and rotate/revoke it if the environment is no longer trusted.
Installing the skill may fetch third-party Node packages from npm.
The skill installs a third-party npm dependency with a version range. This is normal for an HTTP client, but it means runtime behavior depends on npm package provenance and version resolution.
"dependencies": { "axios": "^1.6.0" }Install from a trusted npm registry and consider using a lockfile or pinned dependency versions in controlled environments.