v1.0.1

exchange_rate_assistant

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:23 AM.

Analysis

This skill is advertised as an exchange-rate assistant, but its artifacts mainly set up a remote Prana/Claw wrapper that handles API secrets, changes OpenClaw configuration, and includes an unrelated payment-history flow.

GuidanceReview carefully before installing. If you only need exchange-rate lookup, prefer a skill that clearly documents its exchange-rate data source and does not require global OpenClaw credential changes. If you proceed, use narrowly scoped/revocable keys, do not commit the config directory, and avoid using the unrelated payment-history flow unless you intentionally want account-management functionality.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

openclaw config set env.PRANA_SKILL_SECRET_KEY "sk_..."
openclaw config set env.PRANA_SKILL_PUBLIC_KEY "pk_..."
...
openclaw gateway restart

The setup changes global OpenClaw environment configuration and restarts the gateway, which is broad operational authority for an exchange-rate assistant.

User impactA user could affect their whole OpenClaw environment, not just this skill, and may unintentionally expose or reuse the same secrets across other agent activity.

RecommendationKeep credentials scoped to this skill where possible, avoid global gateway changes unless strictly necessary, and require clear user confirmation before modifying OpenClaw-wide settings.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

# 二、获取Prana历史支付记录

用户获取可在浏览器中打开的 **历史支付记录（技能购买记录）** 页面链接

A payment-history workflow is unrelated to the advertised exchange-rate purpose and may lead users to perform account/payment actions they did not expect from this skill.

User impactUsers expecting currency conversion may be guided into sensitive account or payment-history handling without that being clear from the skill description.

RecommendationRemove the payment-history flow from this skill or publish it as a separate, clearly named account-management skill with explicit credential and privacy disclosures.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

npm install yaml ... pip install pyyaml

The skill requires users to install unpinned third-party packages even though the registry says there is no install spec; this is disclosed but under-declared.

User impactThe user’s environment will depend on packages fetched at install time, and the exact versions are not fixed by the artifact.

RecommendationProvide a proper install spec or lockfile with pinned dependency versions, or document exact tested versions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/prana_skill_client.py

API_KEY_FILE = CONFIG_DIR / "api_key.txt" ... "# Auto-saved by prana_skill_client after GET /api/v1/api-keys; do not commit to public repos." ... f"{public_key}:{secret_key}"

The client automatically stores fetched public/secret API keys in a local file by default, while the registry metadata declares no required credentials or config paths.

User impactInstalling or following the skill can create and persist account API secrets on disk, which may later be reused by this skill or exposed if the skill directory is shared or committed.

RecommendationDeclare the credential requirement explicitly, avoid automatic secret persistence by default, use the narrowest possible scoped token, and tell users how to revoke and remove stored keys.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

调用 `/api/claw/agent-run` ... 薄客户端仅负责请求上述接口及必要的 `agent-result` 轮询，标准输出即为服务端 JSON。

The skill sends user requests to a remote agent-run service and returns raw server JSON; this is disclosed and central to the wrapper, but users should understand the data boundary.

User impactQuestions and any sensitive details the user includes may be sent to the remote Claw/Prana service for processing.

RecommendationAvoid entering unnecessary sensitive financial or personal data, and the publisher should document what is sent, retained, and processed by the remote service.