Back to skill

Security audit

企业信息查询

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised QiXinBao company lookups, but it should be reviewed because it handles an API token while under-disclosing transmission and leaving dependency risk unresolved.

Install only if you have a QiXinBao API token and are comfortable sending company queries and that token to QiXinBao. Use a dedicated low-privilege or quota-limited token, avoid production credentials for tests, and prefer an updated release that removes the scanner-bypass comment, corrects the token-transmission wording, and pins a patched axios version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims to describe `getPagingEntBasicInfo`, but the body and example actually describe enterprise change-record queries using a different method. This mismatch can cause integrators or downstream agents to call the wrong API, mis-handle returned data, or build logic on incorrect assumptions, which is a real security and reliability risk when business data is used for compliance, due diligence, or automated decisions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment explicitly says the environment variable is read at module load to avoid direct process.env access in the request chain and to 'pass static security scanning'. That is a red flag because it indicates scanner-evasion intent rather than a legitimate security control, which can normalize deceptive practices and hide sensitive-data handling from review. While the code itself is not directly exfiltrating the token, the misleading rationale is dangerous because it undermines auditability and can conceal real issues in adjacent code.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.6.0"
  },
  "devDependencies": {
    "@types/node": "^20.0.0",
Confidence
93% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.6.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/client.ts:19