Car Models Inquiry - 车型大全查询安全扫描报告 — 低风险 | ClawSafe

15 /100

Car Models Inquiry - 车型大全查询

查品牌、车系、车型详情、搜索与热门/销量榜等。当用户说：比亚迪汉有什么配置？十万左右 SUV 推荐车型数据，或类似车型库问题时，使用本技能。

Benign car catalog API wrapper that makes HTTP requests to JisuAPI. The API_KEY placeholder in documentation is not an actual credential. No malicious behavior detected.

技能名称Car Models Inquiry - 车型大全查询

分析耗时31.4s

引擎pi

✓

可以安装

No action required. The skill is a legitimate data retrieval tool. Consider pinning the requests library version for stability.

安全发现 2 项

严重性	安全发现	位置
低危	API key placeholder in documentation SKILL.md shows 'API_KEY="your_appkey_here"' which is a documentation placeholder/example, not an actual credential. This is a common pattern in API documentation. `API_KEY="your_appkey_here"` → No action needed - this is a placeholder, not hardcoded credentials	`SKILL.md:31`
低危	Unpinned requests dependency The requests library is used but version is not pinned, which could lead to unexpected behavior if the library is updated. `import requests` → Consider adding 'requests>=2.28.0' to a requirements.txt file	`car.py:9`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in car.py
网络访问	`UNKNOWN`	`READ`	✓ 一致	Makes HTTP GET to api.jisuapi.com/car (legitimate API service)
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution
环境变量	`READ`	`READ`	✓ 一致	Reads JISU_API_KEY from os.getenv (line 157)
技能调用	`NONE`	`NONE`	—	No skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database operations

1 高危 5 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:31

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/car

SKILL.md:24

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/car/

car.py:5

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/car

car.py:14

目录结构

2 文件 · 12.7 KB · 391 行

Python 1f · 232L Markdown 1f · 159L

├─ 🐍 car.py Python 232L · 6.1 KB

└─ 📝 SKILL.md Markdown 159L · 6.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned - consider pinning for stability

安全亮点

✓ No shell execution or subprocess calls

✓ No file system operations beyond standard library

✓ No credential exfiltration or data theft

✓ Clean, straightforward API wrapper design

✓ No base64, eval, or obfuscation patterns

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality or stealthy behavior

✓ Legitimate third-party API service (JisuAPI.com)

✓ Proper error handling with timeout and exception management