Back to skill
Skillv1.0.10
ClawScan security
Summary of JisuAPI - 极速数据API汇总 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-and-script wrapper around the official JisuAPI service and its requests/requirements (python3 + JISU_API_KEY) align with its stated purpose.
- Guidance
- This skill is coherent: it calls the official JisuAPI endpoints and only needs your JISU_API_KEY. Before installing, ensure you trust jisuapi.com, monitor and limit API key usage, and avoid sending highly sensitive PII (ID cards, bankcards, private documents) unless you intend to use the OCR endpoints and accept that those images are transmitted to the third‑party service. Also ensure the runtime has the Python 'requests' package available (or install it) and rotate the JISU_API_KEY if it is ever exposed.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (JISU_API_KEY) and python3 binary match a gateway for the JisuAPI service. The skill only asks for the API key needed to call the third‑party API.
- Instruction Scope
- okSKILL.md instructs the agent to run the bundled Python script with list/call commands; the script only reads sys.argv and the JISU_API_KEY env var and sends requests to https://api.jisuapi.com. It restricts API paths with a whitelist and character checks, minimizing risk of URL injection or arbitrary outbound calls.
- Install Mechanism
- okNo install spec (instruction-only) and the code file is bundled; nothing is downloaded from external/untrusted URLs. The script requires the 'requests' Python package which is typical but not specified in metadata.
- Credentials
- okOnly JISU_API_KEY is declared as required and used. No unrelated credentials or config paths are requested. Note: some supported APIs accept images/base64 (OCR, ID/bankcard), which may involve sensitive data — that is a functional requirement of those endpoints, not an unexplained credential request.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system settings, and uses no elevated persistence. Autonomous invocation is allowed (platform default) but is not combined with other privilege red flags.