Juhe Telephone Verify

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill appears to perform the advertised Juhe phone/name/ID verification, but it handles highly sensitive identity data and has an API-key variable-name mismatch users should notice.

Install only if you trust the Juhe service and have a lawful, consented reason to verify the provided identity data. Configure the API key using JUHE_TELEPHONE_VERIFY_KEY, and be careful to clean or avoid logs because the tool sends and prints full name, ID card, and phone number values.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A user’s or subject’s identity information will be transmitted to Juhe for verification and may appear in provider-side request records.

Why it was flagged

The script sends the API key plus real name, ID card number, and mobile number to the Juhe verification endpoint using query parameters. This is aligned with the skill’s purpose, but it is sensitive third-party data handling.

Skill content

params = {
        'key': api_key,
        'realname': name,
        'idcard': idcard,
        'mobile': mobile,
    }
...
response = requests.get(api_url, params=params, timeout=10)

Recommendation

Use only for lawful, consented verification. Prefer a POST-based implementation if supported and avoid submitting data that is not necessary for the verification.

Low

#ASI03: Identity and Privilege Abuse

What this means

Users may configure the wrong environment variable or misunderstand which API key the script will use.

Why it was flagged

The declared credential name is misspelled in the frontmatter/metadata, while the configuration example uses a different, correctly spelled variable name.

Skill content

requires": { "bins": ["python3"], "env": ["JUHE_TELEPHON_VERIFY_KEY"] }, "primaryEnv": "JUHE_TELEPHON_VERIFY_KEY" ... "JUHE_TELEPHONE_VERIFY_KEY": "你的 API Key"

Recommendation

Confirm the configured variable name before use; the script expects JUHE_TELEPHONE_VERIFY_KEY in the OpenClaw config or environment.

Medium

#ASI06: Memory and Context Poisoning

What this means

Sensitive identity data may be visible in terminal output, chat transcripts, or logs after the verification finishes.

Why it was flagged

The command-line output includes the full submitted name, ID card number, and mobile number. If an agent captures tool output, those values may remain in the conversation or logs.

Skill content

print(f"\n姓名：{args.name}")
print(f"身份证号：{args.idcard}")
print(f"手机号：{args.mobile}")

Recommendation

Avoid running this on shared terminals or shared transcripts, and consider masking ID card and phone values in output.