ClawHub
Back to skill

Security audit

企业上市信息查询

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Qixin listed-company lookup tool with disclosed token use and no hidden persistence or unrelated local access.

Install only if you trust the Qixin API provider and can protect the QXBENT_API_TOKEN like a password. For investment, due-diligence, or compliance use, prefer eid-based queries or verify the returned ename before relying on results, and consider updating or pinning dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that when `ename` cannot be precisely matched, the system will automatically use the first search result, but it does not warn users that this may silently query the wrong company. In a financial due-diligence and investment context, this can cause analysts or downstream agents to retrieve and act on data for an unintended entity, leading to erroneous decisions, misreporting, or compliance issues.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.6.0"
  },
  "devDependencies": {
    "@types/node": "^20.0.0",
Confidence
90% confidence
Finding
"axios": "^1.6.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "@types/node": "^20.0.0",
    "ts-node": "^10.9.0",
    "typescript": "^5.0.0"
  }
}
Confidence
79% confidence
Finding
"ts-node": "^10.9.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.6.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.