企业风险排查
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires providing a Qixin API token, so queries may be associated with that account.
The skill requires a Qixin API credential. This is expected for the stated integration, but it grants access and may consume quota under the user's Qixin account.
`QXBENT_API_TOKEN` (必需) - 启信宝 API 访问凭证
Use a scoped or revocable token if available, keep it out of shared logs, and rotate it if you suspect exposure.
Company names or IDs you ask about leave the local agent environment and are sent to Qixin for lookup.
The code sends the queried company name or enterprise ID to Qixin's external API. This is disclosed and purpose-aligned, but it is still an external data flow.
baseURL: 'https://external-api.qixin.com/skill/ent/public' ... this.client.post(... { ename })Only query companies you are comfortable sending to Qixin, and review Qixin’s privacy and retention terms if the searches are sensitive.
Installing the skill may download a newer compatible axios release from npm depending on the environment.
The skill depends on npm package resolution for axios using a version range. This is normal for a Node API client, but users inherit standard npm supply-chain risk.
"dependencies": { "axios": "^1.6.0" }Install in a trusted environment, consider using a lockfile or pinned dependency for reproducibility, and review updates before deployment.