ClawHub
Back to skill
v1.0.3

Exchange Rate Inquiry & Conversion - 汇率查询

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:23 AM.

Analysis

The skill appears purpose-aligned for exchange-rate lookups and only uses the documented JisuAPI service with the user's API key.

GuidanceThis skill looks reasonable for exchange-rate questions. Before installing, make sure you trust JisuAPI, configure only a limited API key, and understand that currency query details plus the API key will be sent to that provider. The artifacts do not show local data storage, file modification, or hidden background behavior.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
exchange.py
EXCHANGE_CONVERT_URL = "https://api.jisuapi.com/exchange/convert" ... resp = requests.get(EXCHANGE_CONVERT_URL, params=params, timeout=10)

The script makes outbound HTTPS API calls to fixed JisuAPI exchange endpoints using the user's requested currency parameters. This matches the skill purpose, but it means lookup details leave the local environment.

User impactJisuAPI can see the currency codes, amounts, and bank-rate queries sent through this skill, and provider quotas may be used.
RecommendationUse the skill only if you are comfortable sending exchange-rate queries to JisuAPI; avoid including unnecessary sensitive financial context in queries.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
exchange.py
appkey = os.getenv("JISU_API_KEY") ... params = {"appkey": appkey}

The script reads the Jisu API key from the environment and attaches it to provider requests. This is expected for the documented API integration and is also disclosed in SKILL.md, but it is still credential use.

User impactThe configured JisuAPI account key may be used for requests, quota consumption, or billing according to the provider's terms.
RecommendationUse a limited, revocable JisuAPI key, keep it out of shared logs or prompts, and rotate it if you suspect exposure.