hsciq-mcp Security Report — Trusted | ClawSafe

5 /100

hsciq-mcp

HSC Code Lookup for Chinese Products. Query customs codes, tariff rates, declaration elements, and regulatory requirements via HSCIQ MCP API.

This is a straightforward HTTP API client for Chinese customs code (HS code) lookup. It reads config from disk, uses an API key for authentication, and makes POST requests exclusively to the declared https://www.hsciq.com endpoint. No shell execution, obfuscation, credential exfiltration, or any hidden functionality was detected.

Skill Namehsciq-mcp

Duration29.6s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 1 items

Severity	Finding	Location
Low	Config file access not declared in SKILL.md Doc Mismatch SKILL.md declares environment variable access for credentials but does not mention that both client scripts also read configuration from ~/.openclaw/workspace/hsciq-mcp-config.json and ~/openclaw/workspace/.env.hsciq. This is minor and standard practice. `CONFIG_FILE = os.path.expanduser("~/.openclaw/workspace/hsciq-mcp-config.json")` → Add 'Reads config from ~/.openclaw/workspace/hsciq-mcp-config.json' to SKILL.md's capability declaration	`hsciq_client.py:25`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`WRITE`	✓ Aligned	Both scripts POST to https://www.hsciq.com/mcp/tools/call for API calls; SKILL.m…
Environment	`READ`	`READ`	✓ Aligned	hsciq_client.py:29-30 reads HSCIQ_API_KEY, HSCIQ_BASE_URL; hsciq-client.js:38 re…
Filesystem	`NONE`	`READ`	✓ Aligned	hsciq_client.py:25 reads ~/.openclaw/workspace/hsciq-mcp-config.json; hsciq-clie…
Shell	`NONE`	`NONE`	—	No subprocess, no os.system, no exec — only urllib.request and fetch API calls

4 findings

🔗

Medium External URL 外部 URL

https://www.hsciq.com

README.md:20

🔗

Medium External URL 外部 URL

https://www.hsciq.com/MCP/Docs

README.md:53

🔗

Medium External URL 外部 URL

https://www.hsciq.com/mcp/tools/list

SKILL.md:122

🔗

Medium External URL 外部 URL

https://www.hsciq.com/mcp/tools/call

SKILL.md:123

File Tree

4 files · 20.4 KB · 658 lines

Python 1f · 286L Markdown 2f · 237L JavaScript 1f · 135L

├─ 🐍 hsciq_client.py Python 286L · 9.8 KB

├─ 📜 hsciq-client.js JavaScript 135L · 4.9 KB

├─ 📝 README.md Markdown 57L · 1.1 KB

└─ 📝 SKILL.md Markdown 180L · 4.6 KB

Security Positives

✓ No shell execution (subprocess, exec, os.system, child_process) — only HTTP API calls

✓ No obfuscation (no base64, no atob, no eval, no hidden payloads)

✓ No credential exfiltration — API key is used only for authentication to declared endpoint

✓ No sensitive file access beyond standard config reading (~/.openclaw paths)

✓ No remote code execution, no reverse shell, no C2 communication

✓ No hidden instructions in comments or HTML

✓ All network traffic is confined to the declared https://www.hsciq.com API endpoint

✓ Both Python and JavaScript implementations are straightforward, readable, and match the documented behavior

✓ No environment variable iteration for credential harvesting

✓ No supply chain risks — no external dependencies beyond standard library / built-in modules

Scan Report

Findings 1 items

File Tree

Security Positives