Back to skill
Skillv1.0.5
ClawScan security
Mobile Phone Number Location Query - 手机号码归属地查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable (JISU_API_KEY) align with its stated purpose of querying a third‑party phone‑number attribution API; there are no obvious incoherent or excessive permissions.
- Guidance
- This skill appears to do exactly what it claims: call the JisuAPI phone‑number lookup and return the result. Before installing, ensure you: (1) only provide a JISU_API_KEY obtained from the official jisuapi.com site and keep it private; (2) are comfortable that phone numbers will be transmitted to that third‑party API (consider privacy/regulatory implications); (3) install the Python 'requests' package in the agent environment so the script can run; and (4) restrict/monitor the API key's quota and rotate it if needed. If you require offline or internal processing of phone data, this networked design may not be suitable.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), and required env var (JISU_API_KEY) match the claimed purpose of calling JisuAPI's phone‑number lookup. The code calls the documented endpoint https://api.jisuapi.com/shouji/query.
- Instruction Scope
- okSKILL.md instructs exporting JISU_API_KEY and running the included Python script with a JSON payload. The runtime script only reads the provided JSON argument and JISU_API_KEY, calls the JisuAPI endpoint, and prints the returned result — it does not read other files, walk the filesystem, or send data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec (instruction-only), which minimizes risk. Minor mismatch: the script uses the Python 'requests' library but SKILL.md/metadata do not declare or instruct installing this dependency; this is an operational omission, not a security red flag.
- Credentials
- okOnly one environment variable (JISU_API_KEY) is required and is the expected API key for the documented third‑party service. No unrelated secrets, config paths, or additional credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent or elevated platform privileges; it does not modify other skills or system settings.