Invoice Verification - 发票查验安全扫描报告 — 低风险 | ClawSafe

10 /100

Invoice Verification - 发票查验

Verifies Chinese VAT invoice authenticity via JisuAPI

A legitimate invoice verification tool using JisuAPI with no malicious behavior; minor doc placeholder flagged by pre-scan is benign.

技能名称Invoice Verification - 发票查验

分析耗时34.5s

引擎pi

✓

可以安装

No action needed. The placeholder API key value in documentation is a standard example string, not an actual credential.

安全发现 1 项

严重性	安全发现	位置
低危	Placeholder API key example in documentation SKILL.md line 23 shows API_KEY='your_appkey_here' as an example. This is a standard documentation placeholder with no security impact since the code reads from the real environment variable os.getenv('JISU_API_KEY'). `export JISU_API_KEY="your_appkey_here"` → No action needed. Consider clarifying the example format to 'YOUR_ACTUAL_KEY' to reduce confusion.	`SKILL.md:23`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	invoiceverify.py:47-48 — requests.get() to api.jisuapi.com for invoice data
环境变量	`READ`	`READ`	✓ 一致	invoiceverify.py:134 — os.getenv('JISU_API_KEY') reads a single declared env var
文件系统	`NONE`	`NONE`	—	No file read/write operations present in invoiceverify.py
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell command invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser automation detected
数据库	`NONE`	`NONE`	—	No database access detected
技能调用	`NONE`	`NONE`	—	No nested skill invocation detected

1 高危 5 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/invoiceverify/

SKILL.md:16

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/invoiceverify/verify

invoiceverify.py:14

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/invoiceverify/type

invoiceverify.py:15

目录结构

2 文件 · 13.0 KB · 382 行

Markdown 1f · 209L Python 1f · 173L

├─ 🐍 invoiceverify.py Python 173L · 4.8 KB

└─ 📝 SKILL.md Markdown 209L · 8.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`unpinned`	pip	否	Used only for HTTP GET to known API endpoints; version should ideally be pinned

安全亮点

✓ All external network requests go to a single known commercial API (api.jisuapi.com), fully declared in docs

✓ No credential harvesting — API key is read from env var and sent only to the intended API endpoint

✓ No shell execution, subprocess, or system command calls

✓ No sensitive file paths (~/.ssh, ~/.aws, .env) are accessed

✓ No base64, eval, or obfuscated code patterns

✓ No hidden functionality — code matches documentation claims

✓ Input validation is present (required fields checked before API call)

✓ No data exfiltration — invoice result is printed to stdout, not sent elsewhere

✓ Dependencies are minimal (only stdlib + requests library)

✓ requests library version not pinned but no known critical vulnerabilities in the usage pattern