Invoice Verification - 发票查验 Security Report — Low Risk | ClawSafe

10 /100

Invoice Verification - 发票查验

Verifies Chinese VAT invoice authenticity via JisuAPI

A legitimate invoice verification tool using JisuAPI with no malicious behavior; minor doc placeholder flagged by pre-scan is benign.

Skill NameInvoice Verification - 发票查验

Duration34.5s

Enginepi

✓

Safe to install

No action needed. The placeholder API key value in documentation is a standard example string, not an actual credential.

Findings 1 items

Severity	Finding	Location
Low	Placeholder API key example in documentation SKILL.md line 23 shows API_KEY='your_appkey_here' as an example. This is a standard documentation placeholder with no security impact since the code reads from the real environment variable os.getenv('JISU_API_KEY'). `export JISU_API_KEY="your_appkey_here"` → No action needed. Consider clarifying the example format to 'YOUR_ACTUAL_KEY' to reduce confusion.	`SKILL.md:23`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	invoiceverify.py:47-48 — requests.get() to api.jisuapi.com for invoice data
Environment	`READ`	`READ`	✓ Aligned	invoiceverify.py:134 — os.getenv('JISU_API_KEY') reads a single declared env var
Filesystem	`NONE`	`NONE`	—	No file read/write operations present in invoiceverify.py
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell command invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access detected
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocation detected

1 High 5 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:23

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/invoiceverify/

SKILL.md:16

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/invoiceverify/verify

invoiceverify.py:14

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/invoiceverify/type

invoiceverify.py:15

File Tree

2 files · 13.0 KB · 382 lines

Markdown 1f · 209L Python 1f · 173L

├─ 🐍 invoiceverify.py Python 173L · 4.8 KB

└─ 📝 SKILL.md Markdown 209L · 8.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	Used only for HTTP GET to known API endpoints; version should ideally be pinned

Security Positives

✓ All external network requests go to a single known commercial API (api.jisuapi.com), fully declared in docs

✓ No credential harvesting — API key is read from env var and sent only to the intended API endpoint

✓ No shell execution, subprocess, or system command calls

✓ No sensitive file paths (~/.ssh, ~/.aws, .env) are accessed

✓ No base64, eval, or obfuscated code patterns

✓ No hidden functionality — code matches documentation claims

✓ Input validation is present (required fields checked before API call)

✓ No data exfiltration — invoice result is printed to stdout, not sent elsewhere

✓ Dependencies are minimal (only stdlib + requests library)

✓ requests library version not pinned but no known critical vulnerabilities in the usage pattern

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives