Exchange Rate Inquiry & Conversion - 汇率查询安全扫描报告 — 可信 | ClawSafe

5 /100

Exchange Rate Inquiry & Conversion - 汇率查询

货币汇率换算、热门汇率、货币列表及银行外汇牌价查询

A straightforward currency exchange rate query skill that makes simple HTTP GET requests to a single documented API (jisuapi.com), with no hidden functionality, no credential exfiltration, and no shell/filesystem abuse.

技能名称Exchange Rate Inquiry & Conversion - 汇率查询

分析耗时23.2s

引擎pi

✓

可以安装

This skill is safe to use. No changes needed. The 'your_appkey_here' placeholder in SKILL.md is documentation-only and not a security risk.

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✓ 一致	exchange.py:14-17 — makes HTTP GET requests only to api.jisuapi.com, a single do…
环境变量	`READ`	`READ`	✓ 一致	exchange.py:171 — appkey = os.getenv('JISU_API_KEY'), matches metadata requires.…
文件系统	`NONE`	`NONE`	—	No file read/write operations. Script only reads JSON from argv and outputs JSON…
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell command invocation. Pure Python logic.

1 高危 7 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appkey_here"

SKILL.md:28

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/api/exchange/

SKILL.md:16

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/exchange/convert

exchange.py:14

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/exchange/single

exchange.py:15

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/exchange/currency

exchange.py:16

🔗

中危外部 URL 外部 URL

https://api.jisuapi.com/exchange/bank

exchange.py:17

目录结构

2 文件 · 14.3 KB · 489 行

Python 1f · 250L Markdown 1f · 239L

├─ 🐍 exchange.py Python 250L · 6.9 KB

└─ 📝 SKILL.md Markdown 239L · 7.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	No requirements.txt or dependency lock file; requests is imported directly. While version pinning is best practice, no known vulnerabilities are confirmed in this usage context.

安全亮点

✓ No subprocess, shell execution, or eval() usage

✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)

✓ No base64, obfuscation, or hidden code paths

✓ No data exfiltration — all network requests go to a single, documented, legitimate API provider (jisuapi.com)

✓ API key is read-only from environment (os.getenv), never written or transmitted beyond the intended API call

✓ All four functions (convert, single, currency, bank) are explicitly documented in SKILL.md

✓ Clean, readable codebase with no obfuscation or unexpected behavior

✓ Timeout of 10s on all HTTP requests (denial-of-service resistance)

✓ Error handling covers HTTP errors, JSON parse failures, and API-level error codes