Exchange Rate Inquiry & Conversion - 汇率查询

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward exchange-rate lookup skill that uses a JisuAPI key to call fixed currency and bank-rate API endpoints.

Install this if you are comfortable using JisuAPI for exchange-rate data. Use a revocable API key, expect currency queries and API usage metadata to be visible to that provider, and avoid including unrelated sensitive financial details in prompts that invoke the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation guidance includes broad phrasing such as handling 'similar exchange-rate conversion questions,' which can cause the agent to invoke the skill on loosely related financial queries. Over-broad triggering can send user requests to a third-party provider unnecessarily, causing unintended data disclosure and tool misuse.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Although the documentation names JisuAPI as the source, it does not clearly warn users that their requests and parameters will be transmitted to an external third-party service. This weakens informed consent and can expose query contents, timing, and usage metadata to an external provider whenever the skill is used.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal