Skillv1.0.4

ClawScan security

VIN (Vehicle Identification Number) Query - VIN车辆识别代码查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 10:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says: a small Python wrapper that calls JisuAPI VIN endpoints and requires only a JISU_API_KEY; nothing in the code contradicts the description.
Guidance: This skill is internally consistent and appears to be what it claims: a small Python client for JisuAPI's VIN endpoints. Before installing, consider: (1) you must provide a JISU_API_KEY (AppKey) and the script will send any VINs you query to api.jisuapi.com — treat VINs as potentially sensitive and only use a key you trust; (2) ensure the Python runtime has the 'requests' package installed (the metadata doesn't declare this dependency); (3) be aware of JisuAPI rate limits, billing, and key permissions (the script will fail or return API errors if the key is missing/expired/over-quota); (4) if you need stricter privacy, review whether sending VINs to a third party is acceptable. If you want higher assurance, inspect or run the script in an isolated environment and verify network requests go only to the listed api.jisuapi.com endpoints.

Purpose & Capability: okName/description match the requested resources and behavior: the skill queries JisuAPI VIN endpoints and provides oil/gearbox lookups by carid. Required env var JISU_API_KEY is appropriate and is declared as the primary credential.
Instruction Scope: noteSKILL.md and vin.py limit actions to forming HTTP GET requests to api.jisuapi.com endpoints with the provided VIN/carid and the AppKey. This will send user-supplied VINs and carids to JisuAPI (a third-party service) — expected for the purpose but potentially privacy-sensitive. The instructions do not attempt to read other environment variables or files.
Install Mechanism: noteNo install spec (instruction-only + a bundled script) — low risk. One practical issue: the script imports the Python 'requests' library but the metadata only lists 'python3' as a required binary and does not declare Python package dependencies; the runtime may fail if 'requests' is not installed. No downloads or external installers are used.
Credentials: okOnly JISU_API_KEY is required. That key is proportionate to calling the JisuAPI service. No unrelated credentials, config paths, or broad secrets are requested.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not modify other skills or system settings. It runs as a simple script when invoked.