ClawHub

GEO & Address Conversion - 经纬度地址转换

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised address and coordinate conversion through JisuAPI, with expected external lookups but no hidden persistence or unrelated behavior found.

Install only if you are comfortable sending submitted addresses or coordinates to JisuAPI using your own JISU_API_KEY. Use a dedicated API key, monitor quota, and avoid submitting sensitive private locations unless that third-party processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description includes the broad phrase 'or similar map coordinate questions,' which can cause the agent to invoke this skill for loosely related location requests. Over-broad invocation increases the chance that user-supplied addresses or coordinates are sent to the third-party API unexpectedly, creating privacy leakage and incorrect tool selection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation does not clearly warn that addresses and coordinates will be transmitted to JisuAPI, a third-party service. Because location data can be sensitive personal information, failing to disclose external transmission can lead to unauthorized sharing, compliance issues, and user surprise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends precise user-supplied coordinates or addresses to a third-party geoconversion service, which is a real privacy/security concern because location data is sensitive and can reveal home, work, or travel patterns. While this appears necessary for the skill’s functionality and not malicious, the code provides no user notice, consent mechanism, minimization, or alternative local processing path.

External Transmission

Medium
Category
Data Exfiltration
Content
import requests


COORD2ADDR_URL = "https://api.jisuapi.com/geoconvert/coord2addr"
ADDR2COORD_URL = "https://api.jisuapi.com/geoconvert/addr2coord"
Confidence
84% confidence
Finding
https://api.jisuapi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
COORD2ADDR_URL = "https://api.jisuapi.com/geoconvert/coord2addr"
ADDR2COORD_URL = "https://api.jisuapi.com/geoconvert/addr2coord"


def coord2addr(appkey: str, req: dict):
Confidence
84% confidence
Finding
https://api.jisuapi.com/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal