VIN (Vehicle Identification Number) Query Security Report — Low Risk | ClawSafe

20 /100

VIN (Vehicle Identification Number) Query

Query vehicle brand, model, year, displacement via 17-digit VIN using JisuAPI. Also supports oil and gearbox info lookup by car ID.

A straightforward VIN query wrapper for the JisuAPI service with no malicious behavior, though minor documentation inconsistencies exist.

Skill NameVIN (Vehicle Identification Number) Query

Duration32.6s

Enginepi

✓

Safe to install

Fix the script path mismatch between SKILL.md (skills/vin/vin.py) and the actual file location (vin.py). Consider pinning the requests dependency to a specific version.

Findings 2 items

Severity	Finding	Location
Low	Script path mismatch between docs and implementation SKILL.md documents the script path as skills/vin/vin.py, but the actual file is vin.py at the repository root. This is a minor documentation inconsistency that could confuse users. `脚本文件：skills/vin/vin.py` → Update SKILL.md to reflect the correct path (vin.py) or move the file to the documented location.	`SKILL.md:40`
Low	Dependency version not pinned The requests library has no version constraint, which could allow a future malicious version to be installed. `import requests` → Pin requests to a specific version (e.g., requests>=2.25.0,<3.0.0) if a dependency manifest is added.	`vin.py:9`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	vin.py:14-16 — GET requests to jisuapi.com
Environment	`READ`	`READ`	✓ Aligned	vin.py:155 — os.getenv('JISU_API_KEY')
Filesystem	`NONE`	`NONE`	—	No file read/write operations in vin.py
Shell	`NONE`	`NONE`	—	No subprocess or shell execution in vin.py
Database	`NONE`	`NONE`	—	No database access in vin.py
Clipboard	`NONE`	`NONE`	—	No clipboard access in vin.py
Browser	`NONE`	`NONE`	—	No browser automation in vin.py
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocation in vin.py

1 High 9 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/vin/

SKILL.md:18

🔗

Medium External URL 外部 URL

http://pic1.jisuapi.cn/car/static/images/logo/300/34889.jpg

SKILL.md:88

🔗

Medium External URL 外部 URL

http://pic1.jisuapi.cn/car/upload/gearbox/I-HS18.png

SKILL.md:187

🔗

Medium External URL 外部 URL

http://pic1.jisuapi.cn/car/upload/gearbox/TR-8L451.png

SKILL.md:190

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/vin/query

vin.py:14

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/vin/oil

vin.py:15

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/vin/gearbox

vin.py:16

File Tree

2 files · 12.8 KB · 449 lines

Markdown 1f · 238L Python 1f · 211L

├─ 📝 SKILL.md Markdown 238L · 7.5 KB

└─ 🐍 vin.py Python 211L · 5.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned; no dependency manifest present

Security Positives

✓ No shell execution or subprocess calls detected

✓ No credential harvesting beyond the declared JISU_API_KEY

✓ No data exfiltration — all network calls are limited to documented jisuapi.com endpoints

✓ No filesystem writes — script is read-only (API calls only)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No base64, eval, or obfuscated code patterns

✓ Code is clean and straightforward with proper error handling

✓ Environment variable access matches the declared JISU_API_KEY requirement

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives