Currencyapi
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: currencyapi Version: 1.0.4 The currencyapi skill bundle provides a standard integration for fetching exchange rates via the Membrane CLI. The SKILL.md file contains legitimate instructions for installation, authentication, and API interaction, including user-in-the-loop OAuth flows. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI globally gives that npm package executable access on the user's machine.
The skill asks the user to globally install a CLI package from npm using the moving '@latest' tag. This is a normal setup step for a CLI-based integration, but users should be aware of package provenance and version drift.
npm install -g @membranehq/cli@latest
Install only from the official Membrane package source, consider pinning a known version, and review npm package provenance if operating in a sensitive environment.
The integration can use the user's Membrane-authenticated Currencyapi connection to make authorized requests.
The skill requires Membrane authentication and delegates credential handling/refresh to Membrane. This is expected for connecting to Currencyapi, but it is still account-level authority users should understand.
Membrane handles authentication and credentials refresh automatically
Use the intended Currencyapi account, confirm the connection domain is correct, and revoke the Membrane connection if it is no longer needed.
An agent using this skill could make authenticated requests to Currencyapi endpoints through Membrane if the user directs or approves that workflow.
The skill documents an authenticated proxy escape hatch for direct Currencyapi API requests when predefined actions do not cover a use case. This is purpose-aligned, but broader than the listed safe action names.
membrane request CONNECTION_ID /path/to/endpoint
Prefer the listed Currencyapi actions when possible, and review direct proxy paths, methods, and parameters before sending authenticated requests.