Train Ticket Inquiry - 火车查询 Security Report — Trusted | ClawSafe

10 /100

Train Ticket Inquiry - 火车查询

站站、车次、余票查询，返回时刻、票价与余票等

Clean train ticket inquiry skill with legitimate API integration and no malicious behavior.

Skill NameTrain Ticket Inquiry - 火车查询

Duration28.8s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning requests library version for supply chain hygiene.

Findings 1 items

Severity	Finding	Location
Low	Unpinned dependency version The requests library is imported without version constraints, creating potential supply chain risk if a malicious version is published. `import requests` → Add requirements.txt with: requests>=2.28.0	`train.py:11`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	train.py:17-19 - API endpoints are jisuapi.com domains only
Environment	`READ`	`READ`	✓ Aligned	train.py:143 - reads JISU_API_KEY only, documented in metadata
Filesystem	`NONE`	`READ`	✓ Aligned	train.py:148 - json.loads(sys.argv[2]) for CLI input
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found

1 High 6 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/train/

SKILL.md:18

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/train/station2s

train.py:14

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/train/line

train.py:15

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/train/ticket

train.py:16

File Tree

2 files · 11.1 KB · 371 lines

Python 1f · 191L Markdown 1f · 180L

├─ 📝 SKILL.md Markdown 180L · 5.7 KB

└─ 🐍 train.py Python 191L · 5.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned - supply chain concern

Security Positives

✓ No shell execution (subprocess, os.system, shell=True)

✓ No credential exfiltration or external data transmission

✓ API calls limited to declared jisuapi.com domains only

✓ Clean JSON input parsing with proper error handling

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No base64 encoding or obfuscation

✓ No hidden HTML comments or steganography

✓ Environment variable access is documented and scoped to JISU_API_KEY only

✓ Proper timeout (10s) on network requests

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives