GEO & Address Conversion - 经纬度地址转换安全扫描报告 — 可信 | ClawSafe

5 /100

GEO & Address Conversion - 经纬度地址转换

在百度/Google 坐标系下做经纬度与地址互转。使用极速数据(JisuAPI)提供地理编码服务。

A straightforward geocoding utility that calls the JisuAPI external service using an environment-provided API key. No malicious patterns, no hidden functionality, and all network/file operations are declared and necessary for the stated feature.

技能名称GEO & Address Conversion - 经纬度地址转换

分析耗时34.4s

引擎pi

✓

可以安装

This skill is safe to use. Consider pinning the requests library version in a requirements.txt for reproducibility, but no security action is required.

安全发现 2 项

严重性	安全发现	位置
低危	requests library version not pinned The Python script imports requests but no requirements.txt or dependency pinning exists. While requests is a widely-used library, version pinning improves reproducibility. `import requests` → Add a requirements.txt with requests pinned to a specific version (e.g., requests>=2.28.0)	`geoconvert.py:7`
提示	API key placeholder in documentation SKILL.md line 28 shows 'API_KEY="your_appkey_here"' as a usage example. This is example placeholder text, not an actual credential. Pre-scan flagged this as HIGH but it is a false positive — no real key is present. `export JISU_API_KEY="your_appkey_here"` → No action needed; this is documentation, not hardcoded credentials	`SKILL.md:28`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	geoconvert.py:1-161 — No file read/write operations
网络访问	`READ`	`READ`	✓ 一致	geoconvert.py:14-15,60-68 — Makes GET requests to api.jisuapi.com, declared in S…
命令执行	`NONE`	`NONE`	—	geoconvert.py — No subprocess, os.system, or shell invocation found
环境变量	`READ`	`READ`	✓ 一致	geoconvert.py:126 — Reads JISU_API_KEY from env (declared in SKILL.md metadata)

1 高危 5 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:28

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/geoconvert/

SKILL.md:21

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/geoconvert/coord2addr

geoconvert.py:14

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/geoconvert/addr2coord

geoconvert.py:15

目录结构

2 文件 · 9.9 KB · 327 行

Markdown 1f · 166L Python 1f · 161L

├─ 🐍 geoconvert.py Python 161L · 4.2 KB

└─ 📝 SKILL.md Markdown 166L · 5.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned — no requirements.txt found

安全亮点

✓ No shell execution, subprocess, or os.system calls found

✓ No file system read/write operations — purely stateless HTTP API client

✓ No credential harvesting — only reads own API key from environment

✓ No base64, eval, or obfuscated code

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration or suspicious network destinations beyond declared API endpoint

✓ API key sourced entirely from environment variable (JISU_API_KEY), not hardcoded

✓ All network I/O is to the declared JisuAPI service (api.jisuapi.com), which is the skill's core purpose

✓ JSON input validation present for all user-supplied parameters

✓ Error handling covers network failures, HTTP errors, and invalid JSON responses

✓ Command routing is strictly allowlisted (only coord2addr and addr2coord)