ClawHub

Summary of JisuAPI - 极速数据API汇总

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed JisuAPI gateway skill, but users should be careful because some optional calls can send personal identifiers or document images to JisuAPI.

Install only if you trust JisuAPI with the data you ask it to process and understand that requests use your JISU_API_KEY. Confirm before sending sensitive identifiers, phone numbers, bank cards, ID documents, passports, VIN images, QR or barcode images, courier numbers, or location data through this skill, and review JisuAPI billing and data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad enough to match many ordinary requests about weather, prices, exchange rates, and similar topics, which can cause the skill to activate unexpectedly. Because this skill can send arbitrary query parameters to an external API gateway, overbroad invocation increases the chance of unintended network calls and unnecessary sharing of user data.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill documents OCR and recognition endpoints that can upload highly sensitive content such as IDs, bank cards, passports, VIN images, and general text images to a third-party API, but it does not provide a clear privacy or data-transfer warning. In this context, the risk is elevated because the skill is a generic unified gateway, making it easy for agents or users to send personal or regulated data off-platform without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill forwards user-supplied parameters together with the JISU_API_KEY to a third-party service without any built-in consent, disclosure, or data minimization controls. This is especially sensitive because the allowed APIs include personal-data and OCR endpoints (for example ID cards, bank cards, phone numbers, IP/location, enterprise contact, QR/barcode image parsing), so users may unknowingly transmit sensitive data off-platform.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal