ClawAudit verdict
车险投保skill
za-car-insurance
88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose
Zhongan car insurance quoting flow using user-provided phone number and CAR_API_KEY; all API calls go to car.zhongan.com with explicit constraints against persisting credentials.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
55
security
70
transparency
90
maintenance
Permission integrity
Code accesses API keys/tokens but declares no environment variables
credential_access
Findings (1)
Pattern match critical
Possible hardcoded credential
auth.md · code · API_KEY="<car_api_key的实际值>
Permissions & capabilities
No declared permissions — minimal attack surface.
credential_access Is this flag fair?
Thanks — recorded.