ID Card Recognition OCR - 身份证识别安全扫描报告 — 低风险 | ClawSafe

10 /100

ID Card Recognition OCR - 身份证识别

ID card OCR skill that sends images to JisuAPI for recognition, returning name, ID number and other fields

Legitimate ID card OCR skill using a documented third-party API with proper path traversal protection and secure credential handling.

技能名称ID Card Recognition OCR - 身份证识别

分析耗时32.2s

引擎pi

✓

可以安装

This skill is safe to use. No action required.

安全发现 3 项

严重性	安全发现	位置
提示	External API processing is documented and expected The skill sends images to jisuapi.com for OCR processing. This is clearly stated in SKILL.md as the core functionality. `IDCARD_RECOG_URL = "https://api.jisuapi.com/idcardrecognition/recognize"` → No action needed - this is the intended purpose of the skill	`idcardrecognition.py:17`
提示	Path traversal protection implemented The _normalize_local_path function properly blocks absolute paths and directory traversal attacks. `if norm.startswith('..') or norm == '..': return {'error': 'invalid_path', ...}` → Good security practice - no changes needed	`idcardrecognition.py:20`
提示	API key stored in environment variable JISU_API_KEY is retrieved from os.getenv() rather than being hardcoded, following security best practices. `appkey = os.getenv('JISU_API_KEY')` → No action needed - this is the correct approach	`idcardrecognition.py:128`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	idcardrecognition.py:63 - reads local image files with path traversal protection
网络访问	`READ`	`READ`	✓ 一致	idcardrecognition.py:17 - POSTs to api.jisuapi.com for OCR processing
环境变量	`READ`	`READ`	✓ 一致	idcardrecognition.py:128 - reads JISU_API_KEY from os.getenv
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found

1 高危 4 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/idcardrecognition/

SKILL.md:20

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/idcardrecognition/recognize

idcardrecognition.py:17

2 文件 · 12.0 KB · 364 行

Python 1f · 196L Markdown 1f · 168L

├─ 🐍 idcardrecognition.py Python 196L · 5.7 KB

└─ 📝 SKILL.md Markdown 168L · 6.3 KB

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Standard HTTP library for API calls

✓ Clear documentation matching implementation

✓ Path traversal protection prevents reading arbitrary files

✓ API key stored in environment, not hardcoded

✓ No subprocess/eval/exec calls

✓ No credential exfiltration

✓ No obfuscated code or hidden functionality

✓ Clean error handling throughout