Skillv1.0.3

ClawScan security

ID Card Number Origin Query - 身份证号码归属地查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 9:45 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credential (JISU_API_KEY) are consistent with its stated purpose of querying ID-card origin via the JisuAPI service.
Guidance: This skill appears to do exactly what it says: call JisuAPI to look up ID-card origin using the JISU_API_KEY you supply. Before installing, be aware that: (1) the script requires the Python 'requests' package but the README doesn't show how to install it (pip install requests), so you may need to ensure that dependency is available; (2) the skill will make network requests to api.jisuapi.com and will use whatever AppKey you provide—only provide a key you trust for this purpose; and (3) the package's source/homepage is listed as unknown, so if provenance matters to you, consider obtaining the API integration from a verified source or reviewing the code yourself (it is short and readable).

Purpose & Capability: okName/description map directly to the included code and the JisuAPI endpoints (api.jisuapi.com). The required env var (JISU_API_KEY) is the expected AppKey for that API; no unrelated credentials or services are requested.
Instruction Scope: okSKILL.md instructs the agent to set JISU_API_KEY and run the included Python script with a JSON argument. The script only reads that env var and performs HTTP GETs to the documented JisuAPI endpoints; it does not access other system files, tokens, or unexpected endpoints.
Install Mechanism: noteThis is an instruction-only skill with a bundled Python script (no install spec). The script requires python3 (declared) and the third-party 'requests' library (imported but not documented in SKILL.md). Missing dependency documentation may cause runtime failure but is not a security concern.
Credentials: okOnly a single API key (JISU_API_KEY) is required and used for calls to the JisuAPI service. No extra secrets, system config paths, or unrelated credentials are requested.
Persistence & Privilege: okThe skill is not forced-always, does not request persistent elevated privileges, and does not modify other skills or system-wide settings.