十万个为什么 - 即刻数据
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: jike-tenwhy-query Version: 1.0.0 The skill is a standard API client for a Chinese Q&A service ('100,000 Whys') hosted at jikeapi.cn. The script `scripts/tenwhy_query.py` uses the Python standard library (urllib) to perform keyword searches and fetch random questions via HTTP GET requests. It handles API keys through standard environment variables or a local .env file and contains no evidence of malicious behavior, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide a valid API key, and that key is sent to the configured API endpoint.
The script reads a Jike AppKey and attaches it to API requests. This credential use is expected for the stated service, but users should treat the key as sensitive.
APPKEY_ENV_NAMES = ("JIKE_TENWHY_QUERY_KEY", "JIKE_APPKEY") ... urlencode({**params, 'appkey': appkey})Use a dedicated, least-privileged AppKey if available, keep it out of shared logs, and prefer environment variables over passing secrets on the command line.
A misconfigured or untrusted environment variable could redirect API requests away from jikeapi.cn.
The default API host matches the stated provider, but the destination can be changed by an environment variable that is not documented in SKILL.md. If set unexpectedly, the query and AppKey would be sent to that alternate endpoint.
API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/")Leave JIKE_API_BASE_URL unset unless you intentionally use a trusted proxy or test endpoint; maintainers should document this override if it is intended.