中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
Bank Card Recognition OCR - 银行卡识别
OCR bank card image, returns card number, bank name, and card type via JisuAPI
Bank card OCR skill that safely calls a declared third-party API with proper path traversal guards and no credential exfiltration.
技能名称Bank Card Recognition OCR - 银行卡识别
分析耗时30.6s
引擎pi
可以安装
No action needed. Consider pinning the `requests` dependency to a specific version for reproducible builds.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned `requests` dependency
The script imports `requests` without a version constraint. A transitive dependency could theoretically be replaced with a malicious version at install time.
import requests
→ Add a requirements.txt or specify a minimum version, e.g. `requests>=2.28.0`.
 bankcardcognition.py:14
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:38 — path/image/file fields for local image reading; bankcardcognition.…
网络访问 READ READ ✓ 一致 SKILL.md:2 — external JisuAPI service declared; bankcardcognition.py:17 — single…
命令执行 NONE NONE No subprocess, os.system, or shell execution found
环境变量 READ READ ✓ 一致 SKILL.md:8 — requires JISU_API_KEY; bankcardcognition.py:118 — reads os.getenv('…
1 高危 4 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_appkey_here"
SKILL.md:21
🔗
中危 外部 URL 外部 URL
https://www.jisuapi.com/
SKILL.md:9
🔗
中危 外部 URL 外部 URL
https://www.jisuapi.com/api/bankcardcognition/
SKILL.md:16
🔗
中危 外部 URL 外部 URL
https://api.jisuapi.com/bankcardcognition/recognize
bankcardcognition.py:17

目录结构

2 文件 · 10.1 KB · 309 行
Python 1f · 163L Markdown 1f · 146L
├─ 🐍 bankcardcognition.py Python 163L · 4.7 KB
└─ 📝 SKILL.md Markdown 146L · 5.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests unpinned import No version constraint; consider pinning to a specific release

安全亮点

✓ Path traversal protection: _normalize_local_path blocks absolute paths and '..' sequences, restricting reads to CWD and subdirectories
✓ No credential exfiltration: JISU_API_KEY is read from the environment and sent only to the declared JisuAPI endpoint
✓ Single, declared network destination: only POSTs to api.jisuapi.com/bankcardcognition/recognize
✓ No shell execution, no eval, no subprocess, no base64-to-bash patterns
✓ No hidden instructions, no obfuscation, no suspicious HTML comments
✓ JSON input validation: checks type and structure before processing
✓ Clean error handling with structured error responses