扫描报告
0 /100
Mobile Phone Number Location Query - 手机号码归属地查询
根据手机号查归属省市、运营商与卡类型
Legitimate phone number attribution lookup skill with clean implementation, properly declared dependencies, and no suspicious behavior.
可以安装
No action required. The skill performs its documented function safely.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | shouji.py:101 - reads self and outputs JSON |
| 网络访问 | READ | READ | ✓ 一致 | shouji.py:33 - GET to api.jisuapi.com (declared in docs) |
| 环境变量 | READ | READ | ✓ 一致 | shouji.py:64 - os.getenv('JISU_API_KEY') (declared in metadata) |
| 命令执行 | NONE | NONE | — | No subprocess or shell execution found |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database operations |
| 技能调用 | NONE | NONE | — | No nested skill invocation |
1 高危 4 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_appkey_here" SKILL.md:22 中危 外部 URL 外部 URL
https://www.jisuapi.com/ SKILL.md:9 中危 外部 URL 外部 URL
https://www.jisuapi.com/api/shouji/ SKILL.md:15 中危 外部 URL 外部 URL
https://api.jisuapi.com/shouji/query shouji.py:14 目录结构
2 文件 · 6.7 KB · 217 行 Markdown 1f · 116L
Python 1f · 101L
├─
shouji.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
requests | * | pip | 否 | Unpinned but standard library-equivalent for HTTP calls; consider pinning for reproducibility |
安全亮点
✓ No shell execution - uses only standard library + requests
✓ API key stored in environment variable, not hardcoded in code
✓ All network calls go to declared JisuAPI endpoint only
✓ Proper error handling with try/except blocks
✓ Input validation for required 'shouji' parameter
✓ Timeout set on HTTP requests (10s)
✓ Script is a simple, focused utility with no side effects
✓ Metadata correctly declares required bins (python3) and env (JISU_API_KEY)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ No data exfiltration or credential harvesting behavior