星座查询 - 即刻数据
PassAudited by ClawScan on May 9, 2026.
Overview
This skill is a straightforward zodiac lookup that calls the disclosed Jike API with an AppKey; no malicious behavior is evident, but users should protect the API key.
This skill appears safe for its stated purpose. Install it only if you are comfortable sending zodiac lookup terms and your Jike AppKey to the Jike API. Keep the AppKey private, use a dedicated key if available, and confirm that JIKE_API_BASE_URL is not set to an unexpected host.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user must provide an API key, and that key is used to access the Jike service.
The skill reads a Jike API key from CLI/environment/.env sources and includes it in the API request. This is necessary for the declared integration and there is no evidence of unrelated credential use or logging.
APPKEY_ENV_NAMES = ("JIKE_ZODIAC_SIGN_QUERY_KEY", "JIKE_APPKEY") ... urllib.parse.urlencode({**params, 'appkey': appkey})Use a dedicated Jike API key with the minimum needed access, prefer environment variables over command-line --key when possible, and avoid sharing logs or command history containing the key.
If an unexpected JIKE_API_BASE_URL is present in the environment, the query and AppKey could be sent somewhere other than Jike's default API host.
The default endpoint is the disclosed Jike API, but the code also allows an environment variable to override the base URL, which would redirect the zodiac query and AppKey if set.
API_BASE_URL = os.environ.get("JIKE_API_BASE_URL", "https://api.jikeapi.cn").rstrip("/")Before using the skill, ensure JIKE_API_BASE_URL is unset or set only to a trusted Jike-compatible endpoint.