ClawHub

Bank Card Origin Query - 银行卡归属地查询

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but any card number entered into it is sent to the disclosed JisuAPI service.

Install only if you are comfortable sending the queried card number to JisuAPI. Prefer BIN/prefix or test numbers when possible, avoid using real customer card data unless you have a proper basis to share it with that provider, and keep JISU_API_KEY private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill asks users to provide full bank card numbers and sends them to JisuAPI, but the user-facing description does not clearly warn that this sensitive financial data will be transmitted to a third-party service. This creates a privacy and data-handling risk because users may disclose card numbers without informed consent, and card metadata plus validity information can be sensitive even if not sufficient alone for fraud.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends the full bank card number to a third-party API service, but the code contains no user-facing disclosure, consent mechanism, masking, or minimization. Bank card numbers are sensitive financial data, so transmitting them externally without explicit notice creates a privacy and data-handling risk even if the API is legitimate and uses HTTPS.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests


BANKCARD_QUERY_URL = "https://api.jisuapi.com/bankcard/query"


def query_bankcard(appkey: str, req: dict):
Confidence
91% confidence
Finding
https://api.jisuapi.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal