Currconv
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a coherent currency-conversion utility that uses a disclosed public exchange-rate API, with only minor setup, network, and local-cache notes.
This appears safe for normal currency conversion. Be aware that queries are sent to frankfurter.app, ensure curl and python3 are installed, and verify rates separately before relying on them for financial decisions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The external API may receive the amount, currency pair, and date being queried.
The script uses curl to call the external frankfurter.app API with conversion/rate query parameters. This is disclosed and purpose-aligned, but it is an outbound data flow.
API_BASE="https://api.frankfurter.app" ... curl ... "$url"
Use it for ordinary rate checks and avoid entering confidential transaction details; verify rates independently for high-stakes financial decisions.
The skill may fail or behave inconsistently if curl or python3 are missing, even though the registry metadata says no binaries are required.
The registry metadata does not declare required binaries, while SKILL.md states that curl and python3 are required. This may affect dependency preflight clarity.
Required binaries (all must exist): none ... Required binaries (at least one): none
Before installing or using it, confirm curl and python3 are available; the publisher should declare these runtime requirements in metadata.
Cached public rate data may remain on the device and could become stale or inaccurate.
The skill discloses local persistence for a rate cache. The stored data appears limited to exchange-rate information, not credentials or private user documents.
Rate cache stored in `~/.local/share/currconv/`.
Clear the cache if you do not want local persistence, and verify important exchange rates with an authoritative source.