Mobile Phone Number Location Query - 手机号码归属地查询 Security Report — Trusted | ClawSafe

0 /100

Mobile Phone Number Location Query - 手机号码归属地查询

根据手机号查归属省市、运营商与卡类型

Legitimate phone number attribution lookup skill with clean implementation, properly declared dependencies, and no suspicious behavior.

Skill NameMobile Phone Number Location Query - 手机号码归属地查询

Duration25.1s

Enginepi

✓

Safe to install

No action required. The skill performs its documented function safely.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	shouji.py:101 - reads self and outputs JSON
Network	`READ`	`READ`	✓ Aligned	shouji.py:33 - GET to api.jisuapi.com (declared in docs)
Environment	`READ`	`READ`	✓ Aligned	shouji.py:64 - os.getenv('JISU_API_KEY') (declared in metadata)
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocation

1 High 4 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:22

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/shouji/

SKILL.md:15

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/shouji/query

shouji.py:14

File Tree

2 files · 6.7 KB · 217 lines

Markdown 1f · 116L Python 1f · 101L

├─ 🐍 shouji.py Python 101L · 2.4 KB

└─ 📝 SKILL.md Markdown 116L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Unpinned but standard library-equivalent for HTTP calls; consider pinning for reproducibility

Security Positives

✓ No shell execution - uses only standard library + requests

✓ API key stored in environment variable, not hardcoded in code

✓ All network calls go to declared JisuAPI endpoint only

✓ Proper error handling with try/except blocks

✓ Input validation for required 'shouji' parameter

✓ Timeout set on HTTP requests (10s)

✓ Script is a simple, focused utility with no side effects

✓ Metadata correctly declares required bins (python3) and env (JISU_API_KEY)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No data exfiltration or credential harvesting behavior

Scan Report

File Tree

Dependencies 1 items

Security Positives