jisu-character 安全扫描报告 — 低风险 | ClawSafe

10 /100

jisu-character

MBTI性格测试技能，基于极速数据API提供完整版或简版逐题作答功能

Legitimate MBTI personality test skill with clear documentation and no malicious behavior detected.

技能名称jisu-character

分析耗时29.3s

引擎pi

✓

可以安装

Skill is safe to use. The API_KEY placeholder in documentation is not a security concern.

安全发现 2 项

严重性	安全发现	位置
低危	Documentation contains placeholder API key example SKILL.md line 25 shows API_KEY='your_appkey_here' as a placeholder in setup instructions. This is standard documentation practice and not an actual credential. `export JISU_API_KEY="your_appkey_here"` → No action needed - this is example text in user setup instructions	`SKILL.md:25`
提示	Network access not explicitly declared in allowed-tools mapping The skill makes external HTTP requests to jisuapi.com but network:READ is not in the declared allowed-tools. However, this is necessary for the API functionality. `resp = requests.get(url, params=query, timeout=15)` → Consider adding network:READ to declared permissions if the skill system requires explicit declarations	`character.py:37`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file read/write operations in character.py
网络访问	`NONE`	`READ`	✓ 一致	character.py:27-28 defines QUESTIONS_URL and ANSWER_URL, makes API calls via req…
命令执行	`READ`	`READ`	✓ 一致	Bash execution via python3 is declared and necessary for skill invocation
环境变量	`READ`	`READ`	✓ 一致	character.py:222 reads JISU_API_KEY from os.getenv() - declared in SKILL.md meta…
技能调用	`NONE`	`NONE`	—	No nested skill invocations
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

1 高危 5 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:25

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/character/

SKILL.md:18

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/character/questions

character.py:16

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/character/answer

character.py:17

目录结构

2 文件 · 14.8 KB · 431 行

Python 1f · 260L Markdown 1f · 171L

├─ 🐍 character.py Python 260L · 8.3 KB

└─ 📝 SKILL.md Markdown 171L · 6.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned; consider pinning to specific version for reproducibility

安全亮点

✓ Code is well-structured with clear function separation (cmd_questions, cmd_answer, cmd_next, cmd_quiz)

✓ Input validation present for version, cursor, picked, and choice parameters

✓ Error handling covers request failures, HTTP errors, JSON parse errors, and API errors

✓ API key only read from environment variable, never hardcoded or exfiltrated

✓ No subprocess spawning or shell command injection vulnerabilities

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No base64 encoding, eval(), or obfuscated code patterns

✓ No data exfiltration or suspicious network destinations beyond declared API

✓ Timeout of 15 seconds configured for API requests