手机号码归属地查询 - 即刻数据
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for phone-number location lookup, but it necessarily sends queried numbers and a Jike API key to the provider.
This skill is reasonable to install if you trust Jike API and want this lookup function. Configure the AppKey securely, avoid exposing it in command history or repositories, and remember that queried phone numbers are sent to the provider.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the AppKey could potentially use the associated Jike API quota or access.
The skill uses a provider AppKey, either from an environment variable or command-line argument, which is expected for this API integration but should be protected.
export JIKE_MOBILE_KEY=你的AppKey ... python3 scripts/mobile_lookup.py --key 你的AppKey 17611491111
Prefer environment-variable or secret-manager storage, avoid passing real keys on shared command lines, and do not commit scripts/.env or keys to repositories.
The provider endpoint receives the full phone number being queried and the AppKey, even though normal text output masks the number for display.
The script sends the full queried phone number and AppKey to the configured API endpoint; by default this is Jike API, but an environment variable can override the base URL.
API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/") ... urllib.parse.urlencode({"mobile": mobile, "appkey": appkey})Only query numbers the user intends to send to Jike API, review the provider’s data handling terms, and ensure JIKE_API_BASE_URL is unset or points to a trusted endpoint.