Back to skill
Skillv1.0.2
ClawScan security
EPC Query For Auto Parts - 汽车配件EPC查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 10:03 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code, instructions, and requested credential align with its stated EPC lookup purpose; nothing appears disproportionate or covert.
- Guidance
- This skill appears to do exactly what it claims: query JisuAPI's EPC endpoints using your JISU_API_KEY. Before installing, ensure you trust the JisuAPI service and are comfortable sending VINs and car identifiers to it (check their privacy/terms). Make sure the runtime has Python 3 and the 'requests' library installed (pip install requests) so the script can run. Verify your AppKey's permissions, quota, and whether you want the skill to see VINs (VINs can be sensitive). Otherwise the request surface is narrow and proportionate.
- Findings
[none_detected] expected: No regex-based pre-scan findings. The script makes outbound HTTPS requests to api.jisuapi.com/epc which is expected for this integration.
Review Dimensions
- Purpose & Capability
- okName/description request VIN/brand/model EPC data and the skill only requires a JISU (JisuAPI) AppKey and Python to call JisuAPI's /epc endpoints — this is coherent with the stated purpose.
- Instruction Scope
- okSKILL.md instructs setting JISU_API_KEY and running the included Python script with JSON arguments; runtime behavior is limited to calling the documented JisuAPI endpoints and returning results. No unrelated file reads, other env vars, or unexpected external endpoints are referenced.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is low-risk. One minor inconsistency: the Python script uses the third‑party 'requests' library but the manifest only lists 'python3' as a required binary and does not declare installing 'requests' (user should ensure requests is available).
- Credentials
- okOnly JISU_API_KEY is required and is the expected AppKey for JisuAPI. No other credentials, keys, or sensitive config paths are requested.
- Persistence & Privilege
- okSkill is not 'always' enabled and does not request elevated or persistent platform privileges. It performs ordinary network calls and prints results.