jisu-character Security Report — Low Risk | ClawSafe

10 /100

jisu-character

MBTI性格测试技能，基于极速数据API提供完整版或简版逐题作答功能

Legitimate MBTI personality test skill with clear documentation and no malicious behavior detected.

Skill Namejisu-character

Duration29.3s

Enginepi

✓

Safe to install

Skill is safe to use. The API_KEY placeholder in documentation is not a security concern.

Findings 2 items

Severity	Finding	Location
Low	Documentation contains placeholder API key example SKILL.md line 25 shows API_KEY='your_appkey_here' as a placeholder in setup instructions. This is standard documentation practice and not an actual credential. `export JISU_API_KEY="your_appkey_here"` → No action needed - this is example text in user setup instructions	`SKILL.md:25`
Info	Network access not explicitly declared in allowed-tools mapping The skill makes external HTTP requests to jisuapi.com but network:READ is not in the declared allowed-tools. However, this is necessary for the API functionality. `resp = requests.get(url, params=query, timeout=15)` → Consider adding network:READ to declared permissions if the skill system requires explicit declarations	`character.py:37`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in character.py
Network	`NONE`	`READ`	✓ Aligned	character.py:27-28 defines QUESTIONS_URL and ANSWER_URL, makes API calls via req…
Shell	`READ`	`READ`	✓ Aligned	Bash execution via python3 is declared and necessary for skill invocation
Environment	`READ`	`READ`	✓ Aligned	character.py:222 reads JISU_API_KEY from os.getenv() - declared in SKILL.md meta…
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocations
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 High 5 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/character/

SKILL.md:18

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/character/questions

character.py:16

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/character/answer

character.py:17

File Tree

2 files · 14.8 KB · 431 lines

Python 1f · 260L Markdown 1f · 171L

├─ 🐍 character.py Python 260L · 8.3 KB

└─ 📝 SKILL.md Markdown 171L · 6.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned; consider pinning to specific version for reproducibility

Security Positives

✓ Code is well-structured with clear function separation (cmd_questions, cmd_answer, cmd_next, cmd_quiz)

✓ Input validation present for version, cursor, picked, and choice parameters

✓ Error handling covers request failures, HTTP errors, JSON parse errors, and API errors

✓ API key only read from environment variable, never hardcoded or exfiltrated

✓ No subprocess spawning or shell command injection vulnerabilities

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No base64 encoding, eval(), or obfuscated code patterns

✓ No data exfiltration or suspicious network destinations beyond declared API

✓ Timeout of 15 seconds configured for API requests

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives