ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

abe-exchange-rates

v1.0.0

Fetch live exchange rates between any currency pairs from XE.com. Use when: user asks about currency conversion, exchange rates, forex rates, or converting a...

0· 68·0 current·0 all-time
by@abeltennyson

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for abeltennyson/abe-exchange-rates.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "abe-exchange-rates" (abeltennyson/abe-exchange-rates) from ClawHub.
Skill page: https://clawhub.ai/abeltennyson/abe-exchange-rates
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install abe-exchange-rates

ClawHub CLI

Package manager switcher

npx clawhub@latest install abe-exchange-rates
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (XE exchange rates) align with the included script and the fallback API. The script attempts to scrape XE via a scraping proxy (SkillBoss / heybossai) and falls back to an open rates API — both are coherent with the stated goal.
Instruction Scope
SKILL.md instructs running the included Node script and lists SKILLBOSS_API_KEY as required. The runtime behavior only performs web requests (to heybossai.com and open.er-api.com) and local parsing. However the script transmits the target XE URL (and indirectly the currency pair/amount) to a third‑party scraping service, which is expected for remote scraping but is a data‑sharing/privacy consideration.
Install Mechanism
There is no install spec and no downloaded code; the skill is instruction + a small script. No unusual packages or remote downloads occur during install. The script relies on Node's fetch (no extra dependencies).
!
Credentials
The SKILL.md and script require SKILLBOSS_API_KEY (process.env.SKILLBOSS_API_KEY), but registry metadata lists no required env vars / primary credential — that's an inconsistency. Requiring a single API key is plausible for a scraping proxy, but the fact the required credential is not declared in the registry is a red flag. The script does not request other unrelated secrets.
Persistence & Privilege
always is false and the skill does not persist or modify other skills or system configs. It does not request elevated or persistent privileges.
What to consider before installing
Before installing, note two things: (1) the script requires an API key named SKILLBOSS_API_KEY but the registry metadata omitted that — verify the skill owner and provide the key only if you trust the service. (2) The script sends the XE request URL (currency pair and amount) to https://api.heybossai.com (a third‑party scraping proxy). That means query data and scraped page content are visible to that service. If you require privacy or want to avoid exposing queries, do not provide the SKILLBOSS_API_KEY; consider running a local scraper, using only the public fallback API (open.er-api.com), or asking the publisher for source/hosting details and why the registry metadata omitted the env var. If you proceed, prefer user‑invocation (not autonomous) and limit the API key scope where possible.
scripts/xe-rate.mjs:8
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97493epzvq7mprq9v6403q1zh85emrv
68downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@abeltennyson
latest
Download

Exchange Rates (XE.com)

Fetch live mid-market exchange rates from XE.com via SkillBoss API Hub scraping.

Usage

node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs <FROM> <TO> [AMOUNT]

Examples:

node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs USD INR        # 1 USD → INR
node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs EUR USD 500    # 500 EUR → USD
node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs THB INR 1000   # 1000 THB → INR

Output: JSON with amount, from, to, rate, converted, source, timestamp

Response Format

Present results cleanly:

  • Show the converted amount prominently
  • Include the unit rate (1 FROM = X TO)
  • Mention source is XE.com mid-market rate
  • For amounts > 1, show both unit rate and total conversion

Notes

  • Uses SkillBoss API Hub scraping to fetch XE.com rates
  • Falls back to exchangerate-api.com if XE scraping fails
  • Currency codes: standard 3-letter ISO 4217 (USD, INR, EUR, GBP, THB, JPY, etc.)
  • Rates are mid-market (not buy/sell spreads)
  • Script takes ~4-5 seconds per lookup (network overhead)

Comments

Loading comments...