Back to skill
Skillv3.0.1
ClawScan security
Currconv · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 10:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This currency-converter skill is internally consistent with its stated purpose (calling frankfurter.app), requests no secrets, and appears to only perform network calls to the documented API.
- Guidance
- This skill appears to do what it says: call the frankfurter.app API and format results. Before installing: (1) ensure your agent environment provides curl, bash (4+) and python3 as the SKILL.md requires; (2) inspect the remainder of scripts/script.sh (the manifest was truncated in the review) if you want to confirm caching behavior and any file writes to ~/.local/share/currconv/; (3) be aware it needs outbound network access to api.frankfurter.app but does not request credentials or other system access. If you do not want any local files written, run it in a contained environment or check for/clean the cache directory after use.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match its behavior: it queries frankfurter.app for rates and provides convert/list/history functionality. Minor inconsistency: registry metadata lists no required binaries, while SKILL.md and the included script clearly require curl, bash (4+) and python3. This is an administrative mismatch but not a functional red flag.
- Instruction Scope
- okSKILL.md and scripts instruct only to call the frankfurter.app API, parse JSON locally, and present results. The included script’s visible code only accesses the API, formats output, validates inputs, and uses local temp files; it does not read unrelated system files or environment secrets in the shown portion.
- Install Mechanism
- okNo install spec is provided (instruction-only), and the packaged script is a plain shell script. No downloads from external or untrusted URLs or archive extraction are present in the manifest.
- Credentials
- okThe skill declares no required environment variables or credentials and the visible script does not attempt to read secrets. It does require network access and local execution tools (curl, python3), which are proportionate to the stated purpose.
- Persistence & Privilege
- notealways:false and no special privileges requested. SKILL.md states a rate cache location (~/.local/share/currconv/); the truncated script portion shown does not visibly perform persistent writes, so confirm the remainder of the script if you care about local cache files and their permissions. The skill does not modify other skills or system-wide settings.