Currconv

Security checks across malware telemetry and agentic risk

Overview

CurrConv is a straightforward currency conversion utility that makes disclosed public API calls and shows no hidden, destructive, or credential-seeking behavior.

Reasonable to install for normal exchange-rate lookups. Be aware it sends currency queries to frankfurter.app, requires curl and python3, and should not be treated as authoritative financial advice for high-stakes transactions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The skill states that it stores a rate cache in ~/.local/share/currconv/, but this persistence is not surfaced in the main description or usage warnings. Undisclosed local writes can surprise users, create minor privacy or disk-footprint concerns, and weaken informed consent, especially in environments expecting read-only utility behavior.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal