ClawHub
Back to skill
v1.0.1

汽车配件 - 4S 指导价查询

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:16 AM.

Analysis

This skill appears to do what it claims: query a disclosed auto-parts price API, but users should notice it sends a VIN, parts list, and API key to an external service.

GuidanceThis skill is reasonable for its stated purpose. Before installing, confirm you trust the JZ/积智数据 service, use an appropriate API key, and be aware that VIN and parts-code queries are sent to the external API endpoint.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
get_parts_price4s.py
import requests

The script depends on the Python 'requests' package, while the registry requirements only list python3 and there is no install spec. This is an under-declared dependency, not evidence of malicious behavior.

User impactThe skill may fail unless 'requests' is already installed, or a user may need to install it separately.
RecommendationInstall dependencies only from trusted package sources and prefer a documented, pinned dependency specification in future versions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
get_parts_price4s.py
appkey = os.getenv("JZ_API_KEY") ... params = {"apiKey": appkey,"vinCode": vin, "partsOeList": partsCodes}

The script reads the user's API key from the environment and sends it as the credential for the disclosed service. This is expected for the integration, but it is still delegated account/API authority.

User impactAnyone using the skill must provide an API key that authorizes requests to the JZ data service.
RecommendationUse a dedicated, least-privileged API key if available, keep it out of shared logs, and revoke or rotate it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
get_parts_price4s.py
PARTS_PRICE4S_URL = "https://erp.qipeidao.com/jzOpenClaw/getPrice4s" ... requests.post(PARTS_PRICE4S_URL, json=params, timeout=100)

The skill sends the API key, VIN, and parts-code list to a named external provider endpoint. This is disclosed and purpose-aligned, but users should understand the data leaves their environment.

User impactVehicle identifiers and requested parts codes may be visible to the external API provider along with the API key used for billing or authorization.
RecommendationOnly query data you are comfortable sending to the provider, and review the provider's privacy and access terms before use.