Bank Card Recognition OCR - 银行卡识别 Security Report — Trusted | ClawSafe

5 /100

Bank Card Recognition OCR - 银行卡识别

OCR bank card image, returns card number, bank name, and card type via JisuAPI

Bank card OCR skill that safely calls a declared third-party API with proper path traversal guards and no credential exfiltration.

Skill NameBank Card Recognition OCR - 银行卡识别

Duration30.6s

Enginepi

✓

Safe to install

No action needed. Consider pinning the `requests` dependency to a specific version for reproducible builds.

Findings 1 items

Severity	Finding	Location
Low	Unpinned `requests` dependency The script imports `requests` without a version constraint. A transitive dependency could theoretically be replaced with a malicious version at install time. `import requests` → Add a requirements.txt or specify a minimum version, e.g. `requests>=2.28.0`.	`bankcardcognition.py:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md:38 — path/image/file fields for local image reading; bankcardcognition.…
Network	`READ`	`READ`	✓ Aligned	SKILL.md:2 — external JisuAPI service declared; bankcardcognition.py:17 — single…
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:8 — requires JISU_API_KEY; bankcardcognition.py:118 — reads os.getenv('…

1 High 4 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:21

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/bankcardcognition/

SKILL.md:16

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/bankcardcognition/recognize

bankcardcognition.py:17

File Tree

2 files · 10.1 KB · 309 lines

Python 1f · 163L Markdown 1f · 146L

├─ 🐍 bankcardcognition.py Python 163L · 4.7 KB

└─ 📝 SKILL.md Markdown 146L · 5.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	import	No	No version constraint; consider pinning to a specific release

Security Positives

✓ Path traversal protection: _normalize_local_path blocks absolute paths and '..' sequences, restricting reads to CWD and subdirectories

✓ No credential exfiltration: JISU_API_KEY is read from the environment and sent only to the declared JisuAPI endpoint

✓ Single, declared network destination: only POSTs to api.jisuapi.com/bankcardcognition/recognize

✓ No shell execution, no eval, no subprocess, no base64-to-bash patterns

✓ No hidden instructions, no obfuscation, no suspicious HTML comments

✓ JSON input validation: checks type and structure before processing

✓ Clean error handling with structured error responses

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives