汉语词语查询 - 即刻数据
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will use your Jike API key to make word-query requests; if you pass the key on the command line, it may be exposed in shell history or process listings.
The skill requires and transmits a Jike AppKey to authenticate API requests. This is expected for the stated API-backed lookup function, but it is still a credential users should protect.
APPKEY_ENV_NAMES = ("JIKE_WORD_QUERY_KEY", "JIKE_APPKEY") ... parser.add_argument("--key", dest="cli_key", help="临时传入即刻数据 AppKey") ... 'appkey': appkeyPrefer setting JIKE_WORD_QUERY_KEY in the environment rather than passing --key on the command line, and use a dedicated API key with only the needed access.
In normal use this sends requests to Jike API, but an unexpected JIKE_API_BASE_URL value could redirect requests elsewhere.
The script normally calls the disclosed Jike API, but also allows the base URL to be overridden by an environment variable. If that variable is set unexpectedly, query terms and the AppKey could be sent to a different endpoint.
API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/") ... urllib.request.urlopen(url, timeout=15)Leave JIKE_API_BASE_URL unset unless intentionally testing against a trusted endpoint, and verify the environment before use.