Express Logistics Track - 快递物流查询安全扫描报告 — 低风险 | ClawSafe

10 /100

Express Logistics Track - 快递物流查询

查快递物流轨迹与签收状态，支持自动识别公司与顺丰等校验

Legitimate express tracking skill that makes API calls to Jisu Express service using a user-provided API key with no malicious behavior observed.

技能名称Express Logistics Track - 快递物流查询

分析耗时27.0s

引擎pi

✓

可以安装

No blocking action required. Consider removing the 'API_KEY=' placeholder text from SKILL.md documentation to avoid confusion.

安全发现 1 项

严重性	安全发现	位置
低危	Documentation placeholder may confuse users SKILL.md line 21 shows 'API_KEY="your_appkey_here"' which appears similar to a hardcoded credential but is actually just a configuration example placeholder `export JISU_API_KEY="your_appkey_here"` → Use a different placeholder format like '<YOUR_API_KEY>' to avoid confusion with actual credential patterns	`SKILL.md:21`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	N/A - No filesystem access
网络访问	`READ`	`READ`	✓ 一致	express.py:13-14 - Only makes GET requests to api.jisuapi.com
命令执行	`NONE`	`NONE`	—	N/A - No shell execution
环境变量	`READ`	`READ`	✓ 一致	express.py:114 - Reads JISU_API_KEY from os.getenv()
技能调用	`NONE`	`NONE`	—	N/A - No cross-skill invocation

1 高危 6 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:21

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/express

SKILL.md:14

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/express/static/images/logo/80/yunda.png

SKILL.md:95

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/express/query

express.py:13

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/express/type

express.py:14

目录结构

2 文件 · 10.2 KB · 327 行

Markdown 1f · 166L Python 1f · 161L

├─ 🐍 express.py Python 161L · 4.2 KB

└─ 📝 SKILL.md Markdown 166L · 6.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned - consider pinning to specific version

安全亮点

✓ Uses requests library with proper timeout (10s) configured

✓ No subprocess or shell execution

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration or credential theft

✓ JSON input is parsed safely using json.loads() without unsafe eval

✓ API key is read from environment variable, never hardcoded

✓ Network requests limited to legitimate Jisu Express API endpoints only

✓ No base64 encoding/decoding or obfuscated code execution

✓ Clean, straightforward implementation focused on stated purpose