Today's Oil Price - 今日油价安全扫描报告 — 可信 | ClawSafe

5 /100

Today's Oil Price - 今日油价

查询各省市汽柴油参考价，基于极速数据（JisuAPI）

Oil price query skill with clean implementation — no hidden functionality, only documented network access to JisuAPI, and necessary environment variable usage for API authentication.

技能名称Today's Oil Price - 今日油价

分析耗时26.2s

引擎pi

✓

可以安装

No action needed. Consider pinning the requests dependency for reproducible builds.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned Python dependency The requests library has no version constraint in any lock file, allowing any version to be installed including those with known vulnerabilities. `import requests` → Add a requirements.txt with requests pinned to a known-safe version, e.g. requests>=2.32.0	`oil.py:10`
提示	SKILL.md placeholder example is benign SKILL.md:26 shows API_KEY="your_appkey_here" as a placeholder in documentation instructions. This is not a hardcoded credential in code — it is a documentation example instructing users to set their own key. `export JISU_API_KEY="your_appkey_here"` → No action needed; this is documentation, not a real credential.	`SKILL.md:26`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	oil.py: no file read/write operations
网络访问	`READ`	`READ`	✓ 一致	oil.py:14 — GET requests to api.jisuapi.com only; documented and necessary for t…
命令执行	`NONE`	`NONE`	—	oil.py: no subprocess/spawn calls
环境变量	`NONE`	`READ`	✓ 一致	oil.py:44 — reads JISU_API_KEY; declared in SKILL.md requires env; necessary for…
技能调用	`NONE`	`NONE`	—	no skill_invoke usage
剪贴板	`NONE`	`NONE`	—	no clipboard access
浏览器	`NONE`	`NONE`	—	no browser automation
数据库	`NONE`	`NONE`	—	no database access

1 高危 4 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:26

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/oil/

SKILL.md:19

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/oil

oil.py:14

目录结构

2 文件 · 8.0 KB · 268 行

Markdown 1f · 153L Python 1f · 115L

├─ 🐍 oil.py Python 115L · 2.9 KB

└─ 📝 SKILL.md Markdown 153L · 5.1 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned — could resolve to vulnerable release

安全亮点

✓ No shell command execution — subprocess not used anywhere

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No data exfiltration — only makes outbound GET requests to documented JisuAPI endpoint

✓ No base64/eval/atob patterns — code is straightforward and readable

✓ No hidden HTML comments or steganographic content

✓ Network access is fully declared in SKILL.md and matches code behavior

✓ Environment variable access is declared in metadata and is necessary for the feature

✓ JSON parsing is safe with no dynamic code execution

✓ Timeout of 10 seconds prevents indefinite hangs

✓ Error handling is present and appropriate