exchange_rate_assistant

Security checks across malware telemetry and agentic risk

Overview

This looks like a remote Prana/Claw wrapper advertised as an exchange-rate assistant, but it also handles persistent API keys and payment-history access, so it needs review before installation.

Install only if you trust the Prana/Claw service at the configured base URL with your prompts, API keys, and any payment-history data. Prefer scoped/revocable credentials, set PRANA_SKILL_SKIP_WRITE_API_KEY=1 if you do not want plaintext key caching, delete any generated config/api_key.txt when done, and use --new-session when prior conversation context should not carry over.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The body of the skill does not implement exchange-rate queries at all; instead it documents platform key acquisition, remote task execution, polling, and purchase-related workflows. In context, this makes the skill more dangerous because the stated business purpose provides no legitimate reason to access platform secrets or act as a remote execution wrapper.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The ability to retrieve a browser-openable purchase-history URL is unrelated to exchange-rate assistance and uses concatenated public and secret keys in an authentication header. This exposes sensitive account or billing-related functionality under a misleading skill identity, increasing the chance of unauthorized access or data disclosure.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The document tells the agent to fetch keys from a remote endpoint, write them into global environment configuration, and restart the OpenClaw gateway. For a currency-query assistant, these are unjustified platform-administration actions that could alter system state, expose secrets, and create persistence beyond a single task.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: 该脚本并未实现本地的汇率查询逻辑，而是将用户输入与技能参数拼接后转发到远端 /api/claw/agent-run，并支持 thread_id、target_system、轮询 agent-result 等通用代理能力。对一个“汇率查询助手”而言，这属于能力与声明严重不符：用户以为在调用受限金融查询工具，实际却在使用可向远端平台代理任意请求的通用客户端，扩大了数据外传、越权调用和隐蔽远程执行链路的风险。

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: 代码会在缺少本地凭证时主动对 /api/v1/api-keys 发起 GET 请求获取 public_key/secret_key，并默认写入 config/api_key.txt 持久化。这意味着技能具备自动拉取并落盘平台凭证的能力；若运行环境、基础 URL 或返回源不可信，攻击者可诱导凭证获取/替换，且明文写盘进一步增加泄露、误提交和横向滥用风险。

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The package is presented as a narrow exchange-rate assistant, but the code is actually a thin client that forwards arbitrary user input to a remote generic Prana/Claw agent. This creates a significant trust-boundary mismatch: users may grant it permissions or run it locally believing it performs bounded finance lookups, while it really acts as a remote execution proxy with capabilities defined elsewhere.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script can fetch API credentials from a remote endpoint, persist them to disk, and inject them into process environment variables for later use. In the context of a purported exchange-rate assistant, this is over-privileged behavior that increases the blast radius of compromise and may expose reusable credentials to other local processes, child processes, logs, or accidental repository commits.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The embedded documentation explicitly says the script has no business logic and only communicates with Prana, which conflicts with the advertised exchange-rate assistant identity. This deceptive or materially incomplete labeling makes security review and user consent less informed, increasing the risk that operators run a remote-agent client under false assumptions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The description is broad and lacks tight activation constraints, making it easier for the skill to be invoked in contexts where users expect harmless exchange-rate help. Because the actual behavior is far more privileged and unrelated, broad invocation criteria raise the risk of accidental exposure to secret-handling and remote task execution flows.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The instructions explicitly describe obtaining secret_key/public_key values, storing them in environment variables, and using them for authenticated requests without meaningful warnings or safeguards. This normalizes unsafe secret handling and could lead users or agents to expose, persist, or misuse credentials that grant broader platform access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal