人民币汇率查询 - 即刻数据

Security checks across malware telemetry and agentic risk

Overview

This skill coherently queries a disclosed exchange-rate API using a user-provided Jike API key, with credential-handling cautions but no hidden or destructive behavior found.

Install only if you are comfortable sending currency lookup requests and your Jike API key to jikeapi.cn. Do not set JIKE_API_BASE_URL unless you trust the alternate host, and avoid passing the key on the command line where it may be saved in shell history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tainted flow: 'url' from os.environ.get (line 214, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: url = f"{API_BASE_URL}{API_PATH_MAP[command]}?{urllib.parse.urlencode(request_params)}" try: with urllib.request.urlopen(url, timeout=15) as response: return json.loads(response.read().decode("utf-8")) except urllib.error.HTTPError as exc: return {"code": exc.code, "message": f"接口请求失败: HTTP {exc.code}", "data": ""}
Confidence: 92% confidence
Finding: with urllib.request.urlopen(url, timeout=15) as response:

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal