歇后语查询 - 即刻数据

AdvisoryAudited by Static analysis on May 9, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Your Jike AppKey and any search keyword are sent to the configured API service; if JIKE_API_BASE_URL is set to an untrusted host, the key could be sent there instead.

Why it was flagged

The helper reads a provider AppKey and includes it in the request URL. The default destination is Jike's API, but an environment variable can change the API base URL.

Skill content

APPKEY_ENV_NAMES = ("JIKE_XIEHOUYU_QUERY_KEY", "JIKE_APPKEY") ... API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/") ... urllib.parse.urlencode({**params, 'appkey': appkey})

Recommendation

Use a scoped Jike API key, keep JIKE_API_BASE_URL unset unless you intentionally trust a different endpoint, and avoid passing --key in shared shell history.