Back to skill
Skillv1.0.4
ClawScan security
Bank Card Recognition OCR - 银行卡识别 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and required environment variable align with its stated purpose (calling JisuAPI to OCR bank cards); nothing in the package attempts to access unrelated credentials or system areas.
- Guidance
- This skill appears coherent, but be aware: using it uploads full card images to JisuAPI (an external service) along with your JISU_API_KEY, so only use it if you trust that provider and accept that sensitive data (card numbers) will be transmitted and processed remotely. The script restricts file reads to the current working directory, which reduces risk, but ensure the working directory doesn't contain unrelated sensitive files. Install the Python 'requests' package if missing. Treat the API key like a secret: provide a dedicated/limited key if possible and rotate it if you stop using the skill. If you need purely local/offline OCR for higher privacy, consider an on-device OCR alternative instead.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the script posts a base64-encoded image to JisuAPI's bankcardcognition endpoint and returns the result. Required items (python3 binary and JISU_API_KEY) are appropriate for this purpose.
- Instruction Scope
- okRuntime instructions and script behavior are limited to reading a local image (or using provided base64), encoding it, and calling the remote API. The code enforces path restrictions (disallows absolute paths and '..') to limit file access to the current working directory and subdirectories.
- Install Mechanism
- noteThere is no install spec (lowest-risk), but the script imports the 'requests' library while SKILL.md metadata only declares python3. The environment may need 'requests' installed (pip) for the script to run; this missing dependency declaration is a minor inconsistency.
- Credentials
- okOnly JISU_API_KEY is required and used as the appkey for the documented JisuAPI endpoint. No other secrets or unrelated environment variables or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system-wide settings.