ID Card Recognition OCR - 身份证识别 Security Report — Low Risk | ClawSafe

10 /100

ID Card Recognition OCR - 身份证识别

ID card OCR skill that sends images to JisuAPI for recognition, returning name, ID number and other fields

Legitimate ID card OCR skill using a documented third-party API with proper path traversal protection and secure credential handling.

Skill NameID Card Recognition OCR - 身份证识别

Duration32.2s

Enginepi

✓

Safe to install

This skill is safe to use. No action required.

Findings 3 items

Severity	Finding	Location
Info	External API processing is documented and expected The skill sends images to jisuapi.com for OCR processing. This is clearly stated in SKILL.md as the core functionality. `IDCARD_RECOG_URL = "https://api.jisuapi.com/idcardrecognition/recognize"` → No action needed - this is the intended purpose of the skill	`idcardrecognition.py:17`
Info	Path traversal protection implemented The _normalize_local_path function properly blocks absolute paths and directory traversal attacks. `if norm.startswith('..') or norm == '..': return {'error': 'invalid_path', ...}` → Good security practice - no changes needed	`idcardrecognition.py:20`
Info	API key stored in environment variable JISU_API_KEY is retrieved from os.getenv() rather than being hardcoded, following security best practices. `appkey = os.getenv('JISU_API_KEY')` → No action needed - this is the correct approach	`idcardrecognition.py:128`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	idcardrecognition.py:63 - reads local image files with path traversal protection
Network	`READ`	`READ`	✓ Aligned	idcardrecognition.py:17 - POSTs to api.jisuapi.com for OCR processing
Environment	`READ`	`READ`	✓ Aligned	idcardrecognition.py:128 - reads JISU_API_KEY from os.getenv
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found

1 High 4 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/idcardrecognition/

SKILL.md:20

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/idcardrecognition/recognize

idcardrecognition.py:17

File Tree

2 files · 12.0 KB · 364 lines

Python 1f · 196L Markdown 1f · 168L

├─ 🐍 idcardrecognition.py Python 196L · 5.7 KB

└─ 📝 SKILL.md Markdown 168L · 6.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Standard HTTP library for API calls

Security Positives

✓ Clear documentation matching implementation

✓ Path traversal protection prevents reading arbitrary files

✓ API key stored in environment, not hardcoded

✓ No subprocess/eval/exec calls

✓ No credential exfiltration

✓ No obfuscated code or hidden functionality

✓ Clean error handling throughout

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives