Today's Oil Price - 今日油价 Security Report — Trusted | ClawSafe

5 /100

Today's Oil Price - 今日油价

查询各省市汽柴油参考价，基于极速数据（JisuAPI）

Oil price query skill with clean implementation — no hidden functionality, only documented network access to JisuAPI, and necessary environment variable usage for API authentication.

Skill NameToday's Oil Price - 今日油价

Duration26.2s

Enginepi

✓

Safe to install

No action needed. Consider pinning the requests dependency for reproducible builds.

Findings 2 items

Severity	Finding	Location
Low	Unpinned Python dependency The requests library has no version constraint in any lock file, allowing any version to be installed including those with known vulnerabilities. `import requests` → Add a requirements.txt with requests pinned to a known-safe version, e.g. requests>=2.32.0	`oil.py:10`
Info	SKILL.md placeholder example is benign SKILL.md:26 shows API_KEY="your_appkey_here" as a placeholder in documentation instructions. This is not a hardcoded credential in code — it is a documentation example instructing users to set their own key. `export JISU_API_KEY="your_appkey_here"` → No action needed; this is documentation, not a real credential.	`SKILL.md:26`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	oil.py: no file read/write operations
Network	`READ`	`READ`	✓ Aligned	oil.py:14 — GET requests to api.jisuapi.com only; documented and necessary for t…
Shell	`NONE`	`NONE`	—	oil.py: no subprocess/spawn calls
Environment	`NONE`	`READ`	✓ Aligned	oil.py:44 — reads JISU_API_KEY; declared in SKILL.md requires env; necessary for…
Skill Invoke	`NONE`	`NONE`	—	no skill_invoke usage
Clipboard	`NONE`	`NONE`	—	no clipboard access
Browser	`NONE`	`NONE`	—	no browser automation
Database	`NONE`	`NONE`	—	no database access

1 High 4 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:26

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/oil/

SKILL.md:19

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/oil

oil.py:14

File Tree

2 files · 8.0 KB · 268 lines

Markdown 1f · 153L Python 1f · 115L

├─ 🐍 oil.py Python 115L · 2.9 KB

└─ 📝 SKILL.md Markdown 153L · 5.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned — could resolve to vulnerable release

Security Positives

✓ No shell command execution — subprocess not used anywhere

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No data exfiltration — only makes outbound GET requests to documented JisuAPI endpoint

✓ No base64/eval/atob patterns — code is straightforward and readable

✓ No hidden HTML comments or steganographic content

✓ Network access is fully declared in SKILL.md and matches code behavior

✓ Environment variable access is declared in metadata and is necessary for the feature

✓ JSON parsing is safe with no dynamic code execution

✓ Timeout of 10 seconds prevents indefinite hangs

✓ Error handling is present and appropriate

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives