中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
hsciq-mcp
HSC Code Lookup for Chinese Products. Query customs codes, tariff rates, declaration elements, and regulatory requirements via HSCIQ MCP API.
This is a straightforward HTTP API client for Chinese customs code (HS code) lookup. It reads config from disk, uses an API key for authentication, and makes POST requests exclusively to the declared https://www.hsciq.com endpoint. No shell execution, obfuscation, credential exfiltration, or any hidden functionality was detected.
技能名称hsciq-mcp
分析耗时29.6s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性 安全发现 位置
低危
Config file access not declared in SKILL.md 文档欺骗
SKILL.md declares environment variable access for credentials but does not mention that both client scripts also read configuration from ~/.openclaw/workspace/hsciq-mcp-config.json and ~/openclaw/workspace/.env.hsciq. This is minor and standard practice.
CONFIG_FILE = os.path.expanduser("~/.openclaw/workspace/hsciq-mcp-config.json")
→ Add 'Reads config from ~/.openclaw/workspace/hsciq-mcp-config.json' to SKILL.md's capability declaration
 hsciq_client.py:25
资源类型声明权限推断权限状态证据
网络访问 READ WRITE ✓ 一致 Both scripts POST to https://www.hsciq.com/mcp/tools/call for API calls; SKILL.m…
环境变量 READ READ ✓ 一致 hsciq_client.py:29-30 reads HSCIQ_API_KEY, HSCIQ_BASE_URL; hsciq-client.js:38 re…
文件系统 NONE READ ✓ 一致 hsciq_client.py:25 reads ~/.openclaw/workspace/hsciq-mcp-config.json; hsciq-clie…
命令执行 NONE NONE No subprocess, no os.system, no exec — only urllib.request and fetch API calls
4 项发现
🔗
中危 外部 URL 外部 URL
https://www.hsciq.com
README.md:20
🔗
中危 外部 URL 外部 URL
https://www.hsciq.com/MCP/Docs
README.md:53
🔗
中危 外部 URL 外部 URL
https://www.hsciq.com/mcp/tools/list
SKILL.md:122
🔗
中危 外部 URL 外部 URL
https://www.hsciq.com/mcp/tools/call
SKILL.md:123

目录结构

4 文件 · 20.4 KB · 658 行
Python 1f · 286L Markdown 2f · 237L JavaScript 1f · 135L
├─ 🐍 hsciq_client.py Python 286L · 9.8 KB
├─ 📜 hsciq-client.js JavaScript 135L · 4.9 KB
├─ 📝 README.md Markdown 57L · 1.1 KB
└─ 📝 SKILL.md Markdown 180L · 4.6 KB

安全亮点

✓ No shell execution (subprocess, exec, os.system, child_process) — only HTTP API calls
✓ No obfuscation (no base64, no atob, no eval, no hidden payloads)
✓ No credential exfiltration — API key is used only for authentication to declared endpoint
✓ No sensitive file access beyond standard config reading (~/.openclaw paths)
✓ No remote code execution, no reverse shell, no C2 communication
✓ No hidden instructions in comments or HTML
✓ All network traffic is confined to the declared https://www.hsciq.com API endpoint
✓ Both Python and JavaScript implementations are straightforward, readable, and match the documented behavior
✓ No environment variable iteration for credential harvesting
✓ No supply chain risks — no external dependencies beyond standard library / built-in modules