Back to skill
Skillv1.0.0
ClawScan security
Exchange Rate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 2:41 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (query QVeris for rate lookup/conversion using a single QVERIS_API_KEY) but there are minor metadata inconsistencies you should verify before installing.
- Guidance
- This skill is coherent with its purpose: it needs a QVERIS_API_KEY and calls only qveris.ai to discover/execute currency tools. Before installing: 1) confirm and provide a QVERIS_API_KEY with the minimal scope you trust (read-only if possible); 2) verify you trust qveris.ai and its privacy/usage policy, because queries and amounts will be sent to that service (QVeris may in turn contact third-party providers); 3) note the repository/registry metadata inconsistency — the SKILL.md and script require QVERIS_API_KEY even though the registry listing shows none; ask the publisher to fix the metadata if this matters to your audit process; 4) if you need stricter control, run the script locally and inspect network traffic or restrict outbound access to qveris.ai only.
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md: the script searches qveris.ai for currency tools and executes them to return rates/conversions. The requested credential (QVERIS_API_KEY) is appropriate for that purpose. Note: registry metadata provided separately lists no required env vars, which conflicts with the SKILL.md and scripts that require QVERIS_API_KEY.
- Instruction Scope
- okRuntime instructions and the included script limit network activity to qveris.ai and perform only search/execute flows, parameter building, parsing, and formatting. The skill does not read other files, system credentials, or arbitrary endpoints in the repository. It relies on QVeris to call underlying providers (Alpha Vantage, Twelve Data) on the server side.
- Install Mechanism
- okNo install spec is present (instruction-only style). The repository includes a runnable Node.js script (no installers or external downloads). This is a low-risk installation model — files are bundled in the skill and nothing is fetched from arbitrary URLs at install time.
- Credentials
- noteThe code and SKILL.md require a single credential (QVERIS_API_KEY), which is proportional to the stated functionality. However, registry metadata elsewhere indicated 'no required env vars' — that mismatch should be resolved. The script does not request additional tokens or secrets.
- Persistence & Privilege
- okThe skill is not always-enabled (always: false) and uses normal autonomous invocation behavior. It does not attempt to modify other skills or system-wide settings. Autonomous invocation is the platform default.