企业上市信息查询
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: qxb-listed-info Version: 1.0.1 The skill bundle is a legitimate integration for the Qixinbao (QXB) API to query Chinese listed company data (A-shares, H-shares, etc.). The code in `src/client.ts` and `src/test.ts` follows standard practices, using the `axios` library to communicate with a known business data provider endpoint (external-api.qixin.com). No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use your Qixin API token when making listed-company information queries.
The skill reads a local Qixin API token and attaches it to outbound API requests. This is expected for the stated service, but the token grants access to the user's API account/quota.
const DEFAULT_API_TOKEN = process.env.QXBENT_API_TOKEN ... 'x-api-token': apiToken
Use a dedicated or limited Qixin token if possible, keep it out of shared logs and repositories, and rotate/revoke it if the environment is no longer trusted.
Installing the skill may fetch third-party Node packages from npm.
The skill installs a third-party npm dependency with a version range. This is normal for an HTTP client, but it means runtime behavior depends on npm package provenance and version resolution.
"dependencies": { "axios": "^1.6.0" }Install from a trusted npm registry and consider using a lockfile or pinned dependency versions in controlled environments.