EPC Query For Auto Parts - 汽车配件EPC查询 Security Report — Trusted | ClawSafe

0 /100

EPC Query For Auto Parts - 汽车配件EPC查询

按品牌/车型/VIN 查 EPC 结构树、分解图与零件信息

A benign, legitimate EPC (Electronic Parts Catalog) query skill that queries a single third-party API (JisuAPI) using only an explicitly declared API key environment variable.

Skill NameEPC Query For Auto Parts - 汽车配件EPC查询

Duration23.8s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	epc.py:25 — requests.get to https://api.jisuapi.com/epc/
Environment	`READ`	`READ`	✓ Aligned	epc.py:149 — os.getenv('JISU_API_KEY')
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Filesystem	`NONE`	`NONE`	—	No file read/write operations
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database operations
Skill Invoke	`NONE`	`NONE`	—	No skill invocation

1 High 6 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:29

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/epc/

SKILL.md:22

🔗

Medium External URL 外部 URL

http://pic1.jisuapi.cn/epc/upload/car/9.png

SKILL.md:130

🔗

Medium External URL 外部 URL

http://pic1.jisuapi.cn/epc/upload/group/...

SKILL.md:195

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/epc

epc.py:14

File Tree

2 files · 13.2 KB · 440 lines

Markdown 1f · 248L Python 1f · 192L

├─ 🐍 epc.py Python 192L · 5.2 KB

└─ 📝 SKILL.md Markdown 248L · 8.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`latest (not pinned)`	pip	No	requests is a widely-used, well-maintained library. Version unpinned but this is common for small scripts.

Security Positives

✓ Only makes HTTP GET requests to a single, legitimate third-party API (api.jisuapi.com)

✓ Only accesses the intended JISU_API_KEY environment variable — no credential harvesting

✓ No shell execution, subprocess, or system command invocation

✓ No sensitive path access (~/.ssh, ~/.aws, .env files, etc.)

✓ No obfuscation, base64 encoding, or eval() calls

✓ No data exfiltration or external IP communication beyond the documented API endpoint

✓ Clean, readable code with no hidden functionality

✓ Proper error handling with typed error responses

✓ All capabilities are explicitly declared in SKILL.md

✓ The 'your_appkey_here' placeholder in SKILL.md is a documentation example, not a real credential

Scan Report

File Tree

Dependencies 1 items

Security Positives