qibook-company-profile

SUSPICIOUS: The skill’s purpose is coherent and there is no clear malware behavior, but it forwards a sensitive API key to a user-configurable `QIBOOK_BASE_URL` instead of a fixed verified official endpoint. That endpoint flexibility creates a meaningful credential and data-flow risk, keeping this above benign but below malicious.