ClawHub

手机号码归属地查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised Chinese mobile-number lookup, with normal privacy and API-key risks for a third-party lookup service.

Install only if you are comfortable sending queried phone numbers and your Jike AppKey to the configured Jike API endpoint. Keep the AppKey out of public repos and shell history, leave JIKE_API_BASE_URL unset unless you intentionally use a trusted endpoint, and avoid querying numbers without appropriate permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'url' from os.environ.get (line 204, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
url = f"{API_BASE_URL}{API_PATH}?{params}"

    try:
        with urllib.request.urlopen(url, timeout=15) as response:
            payload = json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        return {"success": False, "mobile": mobile, "error": f"接口请求失败: HTTP {exc.code}"}
Confidence
95% confidence
Finding
with urllib.request.urlopen(url, timeout=15) as response:

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the AI to extract and submit full mobile phone numbers to a third-party API but does not place a clear privacy warning or consent notice before that transmission. Because phone numbers are personal data, sending them off-platform without explicit user awareness can create privacy and compliance risk, especially in an AI-assisted context where users may not realize an external service is involved.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script sends full phone numbers and the AppKey to a third-party API, but the user-facing behavior does not clearly disclose that sensitive personal data is transmitted off-host. In an agent/skill setting, users may assume a local lookup, so this can cause unintended privacy disclosure and credential exposure to an external provider.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal