Car Models Inquiry - 车型大全查询 Security Report — Low Risk | ClawSafe

15 /100

Car Models Inquiry - 车型大全查询

查品牌、车系、车型详情、搜索与热门/销量榜等。当用户说：比亚迪汉有什么配置？十万左右 SUV 推荐车型数据，或类似车型库问题时，使用本技能。

Benign car catalog API wrapper that makes HTTP requests to JisuAPI. The API_KEY placeholder in documentation is not an actual credential. No malicious behavior detected.

Skill NameCar Models Inquiry - 车型大全查询

Duration31.4s

Enginepi

✓

Safe to install

No action required. The skill is a legitimate data retrieval tool. Consider pinning the requests library version for stability.

Findings 2 items

Severity	Finding	Location
Low	API key placeholder in documentation SKILL.md shows 'API_KEY="your_appkey_here"' which is a documentation placeholder/example, not an actual credential. This is a common pattern in API documentation. `API_KEY="your_appkey_here"` → No action needed - this is a placeholder, not hardcoded credentials	`SKILL.md:31`
Low	Unpinned requests dependency The requests library is used but version is not pinned, which could lead to unexpected behavior if the library is updated. `import requests` → Consider adding 'requests>=2.28.0' to a requirements.txt file	`car.py:9`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in car.py
Network	`UNKNOWN`	`READ`	✓ Aligned	Makes HTTP GET to api.jisuapi.com/car (legitimate API service)
Shell	`NONE`	`NONE`	—	No subprocess or shell execution
Environment	`READ`	`READ`	✓ Aligned	Reads JISU_API_KEY from os.getenv (line 157)
Skill Invoke	`NONE`	`NONE`	—	No skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations

1 High 5 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:31

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/car

SKILL.md:24

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/car/

car.py:5

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/car

car.py:14

File Tree

2 files · 12.7 KB · 391 lines

Python 1f · 232L Markdown 1f · 159L

├─ 🐍 car.py Python 232L · 6.1 KB

└─ 📝 SKILL.md Markdown 159L · 6.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned - consider pinning for stability

Security Positives

✓ No shell execution or subprocess calls

✓ No file system operations beyond standard library

✓ No credential exfiltration or data theft

✓ Clean, straightforward API wrapper design

✓ No base64, eval, or obfuscation patterns

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality or stealthy behavior

✓ Legitimate third-party API service (JisuAPI.com)

✓ Proper error handling with timeout and exception management

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives