企业风险排查
PassAudited by ClawScan on May 8, 2026.
Overview
This appears to be a straightforward Qixin enterprise-risk lookup skill, but it requires your Qixin API token and sends queried company names or IDs to Qixin.
This skill is reasonable to install if you trust the publisher and Qixin service. Protect the QXBENT_API_TOKEN, expect queries to go to Qixin and possibly consume quota, and install npm dependencies from a trusted environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires providing a Qixin API token, so queries may be associated with that account.
The skill requires a Qixin API credential. This is expected for the stated integration, but it grants access and may consume quota under the user's Qixin account.
`QXBENT_API_TOKEN` (必需) - 启信宝 API 访问凭证
Use a scoped or revocable token if available, keep it out of shared logs, and rotate it if you suspect exposure.
Company names or IDs you ask about leave the local agent environment and are sent to Qixin for lookup.
The code sends the queried company name or enterprise ID to Qixin's external API. This is disclosed and purpose-aligned, but it is still an external data flow.
baseURL: 'https://external-api.qixin.com/skill/ent/public' ... this.client.post(... { ename })Only query companies you are comfortable sending to Qixin, and review Qixin’s privacy and retention terms if the searches are sensitive.
Installing the skill may download a newer compatible axios release from npm depending on the environment.
The skill depends on npm package resolution for axios using a version range. This is normal for a Node API client, but users inherit standard npm supply-chain risk.
"dependencies": { "axios": "^1.6.0" }Install in a trusted environment, consider using a lockfile or pinned dependency for reproducibility, and review updates before deployment.