Back to skill
Skillv1.0.4
ClawScan security
GEO & Address Conversion - 经纬度地址转换 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required JISU_API_KEY match its stated purpose (address <-> coordinate conversion via JisuAPI); nothing in the package indicates hidden or unrelated behavior.
- Guidance
- This skill appears to do exactly what it says: it converts between addresses and coordinates by calling JisuAPI. Before installing: (1) ensure your environment has Python and the 'requests' package available, (2) be aware your JISU_API_KEY will be sent to api.jisuapi.com (as a GET query param) — use a limited/rotatable key and monitor usage, (3) review JisuAPI's terms/privacy if you will submit sensitive locations, and (4) if you need stricter secrecy, verify whether the API supports sending keys in headers or POST to avoid logging in URL/query strings.
Review Dimensions
- Purpose & Capability
- okName/description (经纬度<->地址) align with the code and declared env. The only credential requested is JISU_API_KEY, which is exactly what the JisuAPI-based implementation needs. No unrelated services or permissions are requested.
- Instruction Scope
- okSKILL.md and the Python script instruct the agent to call the JisuAPI endpoints with JSON input and return the API result. The instructions do not read arbitrary files or access extra environment variables. The script performs only HTTP GETs to api.jisuapi.com and local JSON parsing.
- Install Mechanism
- noteThere is no install spec (instruction-only), and the included script is small and self-contained. One practical omission: the script uses the Python 'requests' library but the skill's requirements only list 'python3' (no pip dependency declared). This is an operational note rather than a security red flag.
- Credentials
- noteOnly JISU_API_KEY is required, which is proportional. Important security/privacy note: the script sends the appkey as a query parameter in GET requests (params), so the key may appear in logs and URL records on the client, proxies, or the JisuAPI side — consider using a limited key and monitor usage.
- Persistence & Privilege
- okalways:false and no actions to persist or modify other skills or system-wide configs. The skill does not request elevated privileges or permanent presence.