VIN (Vehicle Identification Number) Query 安全扫描报告 — 低风险 | ClawSafe

20 /100

VIN (Vehicle Identification Number) Query

Query vehicle brand, model, year, displacement via 17-digit VIN using JisuAPI. Also supports oil and gearbox info lookup by car ID.

A straightforward VIN query wrapper for the JisuAPI service with no malicious behavior, though minor documentation inconsistencies exist.

技能名称VIN (Vehicle Identification Number) Query

分析耗时32.6s

引擎pi

✓

可以安装

Fix the script path mismatch between SKILL.md (skills/vin/vin.py) and the actual file location (vin.py). Consider pinning the requests dependency to a specific version.

安全发现 2 项

严重性	安全发现	位置
低危	Script path mismatch between docs and implementation SKILL.md documents the script path as skills/vin/vin.py, but the actual file is vin.py at the repository root. This is a minor documentation inconsistency that could confuse users. `脚本文件：skills/vin/vin.py` → Update SKILL.md to reflect the correct path (vin.py) or move the file to the documented location.	`SKILL.md:40`
低危	Dependency version not pinned The requests library has no version constraint, which could allow a future malicious version to be installed. `import requests` → Pin requests to a specific version (e.g., requests>=2.25.0,<3.0.0) if a dependency manifest is added.	`vin.py:9`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	vin.py:14-16 — GET requests to jisuapi.com
环境变量	`READ`	`READ`	✓ 一致	vin.py:155 — os.getenv('JISU_API_KEY')
文件系统	`NONE`	`NONE`	—	No file read/write operations in vin.py
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution in vin.py
数据库	`NONE`	`NONE`	—	No database access in vin.py
剪贴板	`NONE`	`NONE`	—	No clipboard access in vin.py
浏览器	`NONE`	`NONE`	—	No browser automation in vin.py
技能调用	`NONE`	`NONE`	—	No nested skill invocation in vin.py

1 高危 9 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/vin/

SKILL.md:18

🔗

中危外部 URL 外部 URL

http://pic1.jisuapi.cn/car/static/images/logo/300/34889.jpg

SKILL.md:88

🔗

中危外部 URL 外部 URL

http://pic1.jisuapi.cn/car/upload/gearbox/I-HS18.png

SKILL.md:187

🔗

中危外部 URL 外部 URL

http://pic1.jisuapi.cn/car/upload/gearbox/TR-8L451.png

SKILL.md:190

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/vin/query

vin.py:14

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/vin/oil

vin.py:15

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/vin/gearbox

vin.py:16

目录结构

2 文件 · 12.8 KB · 449 行

Markdown 1f · 238L Python 1f · 211L

├─ 📝 SKILL.md Markdown 238L · 7.5 KB

└─ 🐍 vin.py Python 211L · 5.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned; no dependency manifest present

安全亮点

✓ No shell execution or subprocess calls detected

✓ No credential harvesting beyond the declared JISU_API_KEY

✓ No data exfiltration — all network calls are limited to documented jisuapi.com endpoints

✓ No filesystem writes — script is read-only (API calls only)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No base64, eval, or obfuscated code patterns

✓ Code is clean and straightforward with proper error handling

✓ Environment variable access matches the declared JISU_API_KEY requirement