GEO & Address Conversion - 经纬度地址转换 Security Report — Trusted | ClawSafe

5 /100

GEO & Address Conversion - 经纬度地址转换

在百度/Google 坐标系下做经纬度与地址互转。使用极速数据(JisuAPI)提供地理编码服务。

A straightforward geocoding utility that calls the JisuAPI external service using an environment-provided API key. No malicious patterns, no hidden functionality, and all network/file operations are declared and necessary for the stated feature.

Skill NameGEO & Address Conversion - 经纬度地址转换

Duration34.4s

Enginepi

✓

Safe to install

This skill is safe to use. Consider pinning the requests library version in a requirements.txt for reproducibility, but no security action is required.

Findings 2 items

Severity	Finding	Location
Low	requests library version not pinned The Python script imports requests but no requirements.txt or dependency pinning exists. While requests is a widely-used library, version pinning improves reproducibility. `import requests` → Add a requirements.txt with requests pinned to a specific version (e.g., requests>=2.28.0)	`geoconvert.py:7`
Info	API key placeholder in documentation SKILL.md line 28 shows 'API_KEY="your_appkey_here"' as a usage example. This is example placeholder text, not an actual credential. Pre-scan flagged this as HIGH but it is a false positive — no real key is present. `export JISU_API_KEY="your_appkey_here"` → No action needed; this is documentation, not hardcoded credentials	`SKILL.md:28`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	geoconvert.py:1-161 — No file read/write operations
Network	`READ`	`READ`	✓ Aligned	geoconvert.py:14-15,60-68 — Makes GET requests to api.jisuapi.com, declared in S…
Shell	`NONE`	`NONE`	—	geoconvert.py — No subprocess, os.system, or shell invocation found
Environment	`READ`	`READ`	✓ Aligned	geoconvert.py:126 — Reads JISU_API_KEY from env (declared in SKILL.md metadata)

1 High 5 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:28

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/api/geoconvert/

SKILL.md:21

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/geoconvert/coord2addr

geoconvert.py:14

🔗

Medium External URL 外部 URL

https://api.jisuapi.com/geoconvert/addr2coord

geoconvert.py:15

File Tree

2 files · 9.9 KB · 327 lines

Markdown 1f · 166L Python 1f · 161L

├─ 🐍 geoconvert.py Python 161L · 4.2 KB

└─ 📝 SKILL.md Markdown 166L · 5.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned — no requirements.txt found

Security Positives

✓ No shell execution, subprocess, or os.system calls found

✓ No file system read/write operations — purely stateless HTTP API client

✓ No credential harvesting — only reads own API key from environment

✓ No base64, eval, or obfuscated code

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration or suspicious network destinations beyond declared API endpoint

✓ API key sourced entirely from environment variable (JISU_API_KEY), not hardcoded

✓ All network I/O is to the declared JisuAPI service (api.jisuapi.com), which is the skill's core purpose

✓ JSON input validation present for all user-supplied parameters

✓ Error handling covers network failures, HTTP errors, and invalid JSON responses

✓ Command routing is strictly allowlisted (only coord2addr and addr2coord)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives