Back to skill
Skillv1.0.4
ClawScan security
Bank Card Origin Query - 银行卡归属地查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says: it sends a provided bank-card number to the JisuAPI bankcard endpoint using an AppKey; its requirements and code are internally consistent with that purpose.
- Guidance
- This skill is coherent with its description and uses the JisuAPI service to look up bank-card origin, but it WILL send the bank-card number you provide to a third-party (api.jisuapi.com). Before installing: ensure you trust JisuAPI for handling sensitive data; only supply an AppKey with appropriate limits; monitor API usage and quotas; avoid sending full real card numbers if privacy concerns exist (use partial numbers or local Luhn checks for basic validation). Also ensure the runtime environment has Python and the 'requests' package installed; rotate the AppKey if it is ever exposed.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (JISU_API_KEY), and the code all point to using JisuAPI's bankcard query endpoint. The requested credential is the AppKey the API needs, which is proportional to the stated purpose. Minor omission: the script imports the Python 'requests' library but SKILL.md only lists 'python3' as a required binary (no explicit mention of the requests dependency).
- Instruction Scope
- noteSKILL.md instructs running the included script with a JSON containing 'bankcard'. The script sends the bankcard number and the AppKey to https://api.jisuapi.com/bankcard/query and prints the API result. That network call is necessary for the described functionality but means user-supplied card numbers are transmitted to a third-party service (privacy exposure).
- Install Mechanism
- okNo install spec (instruction-only + single script). Nothing is downloaded or written to disk by an installer. The only dependency risk is runtime: the script requires the Python 'requests' package, which isn't declared in SKILL.md; this is a usability omission, not a security problem.
- Credentials
- noteOnly JISU_API_KEY is required and is appropriate for calling JisuAPI. However, the AppKey grants the skill the ability to query the external API (and potentially consume quotas or be charged), so treat the key as sensitive and use least-privilege / monitoring. Also: the skill transmits sensitive personal data (bank card numbers) to the external provider — consider privacy implications before supplying real card numbers.
- Persistence & Privilege
- okSkill is not 'always:true' and does not request to modify other skills or system settings. Agent autonomous invocation is allowed by platform default but is not combined here with elevated privileges.