Scan Report
5 /100
Almanac / Huangli Inquiry - 黄历查询
按公历日期查询农历、宜忌、吉神凶煞等黄历信息
Legitimate almanac inquiry skill with fully declared network and environment access; no malicious behavior or hidden functionality detected.
Safe to install
This skill is safe to use. The API key placeholder in documentation is a standard example and poses no risk.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Documentation contains example API key placeholder | SKILL.md:23 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | huangli.py:14 - requests.get to api.jisuapi.com |
| Environment | READ | READ | ✓ Aligned | huangli.py:62 - os.getenv('JISU_API_KEY') |
| Filesystem | NONE | NONE | — | No file operations in huangli.py |
| Shell | NONE | NONE | — | No subprocess or shell execution in huangli.py |
1 High 4 findings
High API Key 疑似硬编码凭证
API_KEY="your_appkey_here" SKILL.md:23 Medium External URL 外部 URL
https://www.jisuapi.com/ SKILL.md:9 Medium External URL 外部 URL
https://www.jisuapi.com/api/huangli SKILL.md:17 Medium External URL 外部 URL
https://api.jisuapi.com/huangli/date huangli.py:14 File Tree
2 files · 8.5 KB · 264 lines Markdown 1f · 158L
Python 1f · 106L
├─
huangli.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned but requests is widely-used and maintained |
Security Positives
✓ No shell execution or subprocess calls
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No credential exfiltration or data theft
✓ No base64 encoded payloads or obfuscated code
✓ No hidden instructions in HTML comments
✓ No remote script execution (curl|bash, wget|sh)
✓ All capabilities declared and aligned with implementation
✓ Uses standard requests library for API calls
✓ Proper error handling with try/except blocks
✓ API key read from environment, not hardcoded