企业风险排查
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: qxb-risk-assessment Version: 1.0.1 The skill is a legitimate API client for the Qixinbao (启信宝) enterprise risk assessment service. It provides tools to query business risks, shell company characteristics, and contract breaches via the official endpoint (external-api.qixin.com). The code (src/client.ts) and packaging scripts (package.json) are transparent, lack obfuscation, and contain no indicators of data exfiltration or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires providing a Qixin API token, so queries may be associated with that account.
The skill requires a Qixin API credential. This is expected for the stated integration, but it grants access and may consume quota under the user's Qixin account.
`QXBENT_API_TOKEN` (必需) - 启信宝 API 访问凭证
Use a scoped or revocable token if available, keep it out of shared logs, and rotate it if you suspect exposure.
Company names or IDs you ask about leave the local agent environment and are sent to Qixin for lookup.
The code sends the queried company name or enterprise ID to Qixin's external API. This is disclosed and purpose-aligned, but it is still an external data flow.
baseURL: 'https://external-api.qixin.com/skill/ent/public' ... this.client.post(... { ename })Only query companies you are comfortable sending to Qixin, and review Qixin’s privacy and retention terms if the searches are sensitive.
Installing the skill may download a newer compatible axios release from npm depending on the environment.
The skill depends on npm package resolution for axios using a version range. This is normal for a Node API client, but users inherit standard npm supply-chain risk.
"dependencies": { "axios": "^1.6.0" }Install in a trusted environment, consider using a lockfile or pinned dependency for reproducibility, and review updates before deployment.