十万个为什么 - 即刻数据
PassAudited by ClawScan on May 9, 2026.
Overview
This skill matches its stated purpose of querying a Chinese Q&A API, with the main caveat that it uses an AppKey and sends requested keywords to the Jike API service.
This appears safe for its stated purpose. Before installing, be comfortable sending your search keywords and Jike AppKey to the configured API endpoint, keep the AppKey private, and make sure JIKE_API_BASE_URL is not set to an untrusted host.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide a valid API key, and that key is sent to the configured API endpoint.
The script reads a Jike AppKey and attaches it to API requests. This credential use is expected for the stated service, but users should treat the key as sensitive.
APPKEY_ENV_NAMES = ("JIKE_TENWHY_QUERY_KEY", "JIKE_APPKEY") ... urlencode({**params, 'appkey': appkey})Use a dedicated, least-privileged AppKey if available, keep it out of shared logs, and prefer environment variables over passing secrets on the command line.
A misconfigured or untrusted environment variable could redirect API requests away from jikeapi.cn.
The default API host matches the stated provider, but the destination can be changed by an environment variable that is not documented in SKILL.md. If set unexpectedly, the query and AppKey would be sent to that alternate endpoint.
API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/")Leave JIKE_API_BASE_URL unset unless you intentionally use a trusted proxy or test endpoint; maintainers should document this override if it is intended.