歇后语查询 - 即刻数据
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: jike-xiehouyu-query Version: 1.0.0 The skill is a legitimate tool for querying Chinese allegorical sayings (Xiehouyu) via the jikeapi.cn API. The Python script (scripts/xiehouyu_query.py) uses standard libraries to handle API requests and format terminal output, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Jike AppKey and any search keyword are sent to the configured API service; if JIKE_API_BASE_URL is set to an untrusted host, the key could be sent there instead.
The helper reads a provider AppKey and includes it in the request URL. The default destination is Jike's API, but an environment variable can change the API base URL.
APPKEY_ENV_NAMES = ("JIKE_XIEHOUYU_QUERY_KEY", "JIKE_APPKEY") ... API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/") ... urllib.parse.urlencode({**params, 'appkey': appkey})Use a scoped Jike API key, keep JIKE_API_BASE_URL unset unless you intentionally trust a different endpoint, and avoid passing --key in shared shell history.