Back to skill
Skillv1.0.0
ClawScan security
Currency Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 11:58 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is a simple, self-contained Chinese currency-conversion tool that uses hard-coded rates and does not request credentials, external installs, or access to files — its implementation matches its description.
- Guidance
- This skill is coherent and low-risk: it uses hard-coded exchange rates and does not access credentials, files, or external services. Two practical notes before installing: (1) rates are static in the code and can become outdated — if you need live rates, request that the skill fetch from a trusted API and be cautious about granting API keys; (2) index.js imports 'https' but does not use it, indicating a possible unfinished feature to fetch remote rates (if that is later added, re-evaluate network endpoints and any new environment variables). If you are comfortable with static/reference conversions, this is safe to install. If you require real-time accuracy, ask the author to implement fetching from a reputable exchange-rate API and explain what credentials (if any) are needed and where network requests go.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description (Chinese currency converter) aligns with the bundled code: it performs local currency conversions using a built-in EXCHANGE_RATES table. Minor mismatch: SKILL.md lists six currencies but index.js also includes KRW and TWD; also index.js requires 'https' but does not use it (harmless but suggests an unfinished plan to fetch live rates).
- Instruction Scope
- okSKILL.md instructions are limited to conversion and rate-query examples in Chinese. The implementation does not read files, environment variables, or send data to external endpoints. The code performs only parsing and arithmetic on the message text and returns formatted responses.
- Install Mechanism
- okNo install spec or external downloads. The skill is instruction-only with a small bundled index.js and package.json — nothing is fetched from remote hosts during install.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The code does not access process.env or other secrets. No disproportionate credential requests are present.
- Persistence & Privilege
- okalways is false and the skill does not request elevated/persistent platform privileges or modify other skills. It appears intended for on-demand invocation only.