ClawHub

国内猪肉价格实时查询 - 即刻数据

AdvisoryAudited by Static analysis on May 9, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Your Jike API key will be used when the skill makes price-query requests.

Why it was flagged

The script sends the configured Jike AppKey to the pork-price API as a URL query parameter. This is purpose-aligned and required for the service, but users should know the credential is transmitted to the API provider.

Skill content
params = {"appkey": appkey} ... url = f"{API_BASE_URL}{API_PATH}?{urllib.parse.urlencode(params)}"
Recommendation

Use a dedicated Jike API key with the minimum needed permissions, avoid sharing command output that might reveal credentials, and ensure the API base URL environment is not unexpectedly overridden.