Scan Report
5 /100
Exchange Rate Inquiry & Conversion - 汇率查询
货币汇率换算、热门汇率、货币列表及银行外汇牌价查询
A straightforward currency exchange rate query skill that makes simple HTTP GET requests to a single documented API (jisuapi.com), with no hidden functionality, no credential exfiltration, and no shell/filesystem abuse.
Safe to install
This skill is safe to use. No changes needed. The 'your_appkey_here' placeholder in SKILL.md is documentation-only and not a security risk.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | NONE | READ | ✓ Aligned | exchange.py:14-17 — makes HTTP GET requests only to api.jisuapi.com, a single do… |
| Environment | READ | READ | ✓ Aligned | exchange.py:171 — appkey = os.getenv('JISU_API_KEY'), matches metadata requires.… |
| Filesystem | NONE | NONE | — | No file read/write operations. Script only reads JSON from argv and outputs JSON… |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell command invocation. Pure Python logic. |
1 High 7 findings
High API Key 疑似硬编码凭证
API_KEY="your_appkey_here" SKILL.md:28 Medium External URL 外部 URL
https://www.jisuapi.com/ SKILL.md:9 Medium External URL 外部 URL
https://www.jisuapi.com/api/exchange/ SKILL.md:16 Medium External URL 外部 URL
https://api.jisuapi.com/exchange/convert exchange.py:14 Medium External URL 外部 URL
https://api.jisuapi.com/exchange/single exchange.py:15 Medium External URL 外部 URL
https://api.jisuapi.com/exchange/currency exchange.py:16 Medium External URL 外部 URL
https://api.jisuapi.com/exchange/bank exchange.py:17 File Tree
2 files · 14.3 KB · 489 lines Python 1f · 250L
Markdown 1f · 239L
├─
exchange.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | No requirements.txt or dependency lock file; requests is imported directly. While version pinning is best practice, no known vulnerabilities are confirmed in this usage context. |
Security Positives
✓ No subprocess, shell execution, or eval() usage
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No base64, obfuscation, or hidden code paths
✓ No data exfiltration — all network requests go to a single, documented, legitimate API provider (jisuapi.com)
✓ API key is read-only from environment (os.getenv), never written or transmitted beyond the intended API call
✓ All four functions (convert, single, currency, bank) are explicitly documented in SKILL.md
✓ Clean, readable codebase with no obfuscation or unexpected behavior
✓ Timeout of 10s on all HTTP requests (denial-of-service resistance)
✓ Error handling covers HTTP errors, JSON parse failures, and API-level error codes