EPC Query For Auto Parts - 汽车配件EPC查询安全扫描报告 — 可信 | ClawSafe

0 /100

EPC Query For Auto Parts - 汽车配件EPC查询

按品牌/车型/VIN 查 EPC 结构树、分解图与零件信息

A benign, legitimate EPC (Electronic Parts Catalog) query skill that queries a single third-party API (JisuAPI) using only an explicitly declared API key environment variable.

技能名称EPC Query For Auto Parts - 汽车配件EPC查询

分析耗时23.8s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	epc.py:25 — requests.get to https://api.jisuapi.com/epc/
环境变量	`READ`	`READ`	✓ 一致	epc.py:149 — os.getenv('JISU_API_KEY')
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
文件系统	`NONE`	`NONE`	—	No file read/write operations
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database operations
技能调用	`NONE`	`NONE`	—	No skill invocation

1 高危 6 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/epc/

SKILL.md:22

🔗

中危外部 URL 外部 URL

http://pic1.jisuapi.cn/epc/upload/car/9.png

SKILL.md:130

🔗

中危外部 URL 外部 URL

http://pic1.jisuapi.cn/epc/upload/group/...

SKILL.md:195

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/epc

epc.py:14

目录结构

2 文件 · 13.2 KB · 440 行

Markdown 1f · 248L Python 1f · 192L

├─ 🐍 epc.py Python 192L · 5.2 KB

└─ 📝 SKILL.md Markdown 248L · 8.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`latest (not pinned)`	pip	否	requests is a widely-used, well-maintained library. Version unpinned but this is common for small scripts.

安全亮点

✓ Only makes HTTP GET requests to a single, legitimate third-party API (api.jisuapi.com)

✓ Only accesses the intended JISU_API_KEY environment variable — no credential harvesting

✓ No shell execution, subprocess, or system command invocation

✓ No sensitive path access (~/.ssh, ~/.aws, .env files, etc.)

✓ No obfuscation, base64 encoding, or eval() calls

✓ No data exfiltration or external IP communication beyond the documented API endpoint

✓ Clean, readable code with no hidden functionality

✓ Proper error handling with typed error responses

✓ All capabilities are explicitly declared in SKILL.md

✓ The 'your_appkey_here' placeholder in SKILL.md is a documentation example, not a real credential