Auto Parts OE Inquiry - 汽车配件OE信息查询
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says—query a Jisu auto-parts API—but it requires a Jisu API key and relies on an undeclared Python dependency.
Before installing, confirm you are comfortable sending part numbers and your JisuAPI key to api.jisuapi.com, preferably use a dedicated API key, and ensure any needed Python dependency such as requests comes from a trusted source.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries may consume the user’s JisuAPI quota, and the provider will receive the API key and parts lookup parameters.
The code reads the declared Jisu API key and sends it to api.jisuapi.com as part of the expected API request. This is purpose-aligned, but it is still credential-backed account access.
appkey = os.getenv("JISU_API_KEY") ... all_params = {"appkey": appkey} ... resp = requests.get(url, params=all_params, timeout=10)Use a dedicated JisuAPI key if possible, monitor quota/usage, and only configure the key in trusted environments.
The skill may fail unless requests is already installed, or a user may need to install that dependency separately.
The skill depends on the third-party requests package, while the supplied install information lists only python3 and no package installation or pinned dependency. This is a dependency declaration gap, not evidence of unsafe installation.
import requests
Install dependencies only from trusted package sources, and the maintainer should declare or pin the required Python package.