by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, declared requirements, and instructions are consistent with a simple Juhe API-based exchange-rate helper; it only needs a Juhe API key and Python and does what it says, though there are a few operational security notes (API key handling and use of plain HTTP endpoints).
评估建议
This skill appears to do exactly what it claims (query Juhe exchange-rate APIs) and only needs your Juhe API key and Python. Before installing, consider: (1) Prefer setting JUHE_EXCHANGE_KEY as an environment variable rather than passing via --key (command-line args can be visible to other users/processes). (2) The script calls Juhe over plain HTTP (the code uses http://op.juhe.cn), so your API key is sent unencrypted — if possible switch the endpoints to HTTPS or confirm Juhe supports HTTPS; ot...详细分析 ▾
✓ 用途与能力
Name and description (querying and converting exchange rates via Juhe) match the requested resources: python3 and a single JUHE_EXCHANGE_KEY API key. The script and SKILL.md only reference Juhe API endpoints and functionality described in the docs.
ℹ 指令范围
SKILL.md and the script stick to the stated purpose (list currencies / query conversion). However, the implementation uses HTTP endpoints (http://op.juhe.cn) and sends the API key in the query string, which exposes the key in plaintext on the network. The SKILL.md also suggests passing the key via command-line (--key), which can leak to process listings. These are operational security concerns, not evidence of malicious intent.
✓ 安装机制
No install specification; the skill is instruction + a small Python script. Nothing is downloaded or installed automatically, and no unusual packages or external installers are used.
ℹ 凭证需求
Only a single credential (JUHE_EXCHANGE_KEY) is required and is appropriate for the Juhe API. The skill offers three ways to supply it (env var, scripts/.env file, or CLI). Prefer environment variables over CLI or a disk file; storing the key in scripts/.env or passing via --key increases exposure risk (on-disk or via process list).
✓ 持久化与权限
The skill does not request persistent or elevated privileges, does not set always:true, and does not modify other skills or global agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/25
- 首次发布 juhe-exchange-rate 汇率查询与货币换算技能 - 支持通过货币代码查询实时汇率,换算金额,覆盖 120+ 种货币 - 提供命令行脚本和API调用方式 - 内置详细用法说明、常见错误处理与示例输出 - 需配置聚合数据(juhe.cn)API Key - 适用于需要全球汇率参考和货币换算的用户场景
● 无害
安装命令
点击复制官方npx clawhub@latest install juhe-exchange-rate
镜像加速npx clawhub@latest install juhe-exchange-rate --registry https://cn.longxiaskill.com镜像同步中