Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DeepKnow Currency
v0.1.8北京宽客进化科技有限公司旗下“知汇 InkRate”的验证版/内测版汇率 Skill,默认连接官方公共入口 `https://rate.feedai.cn`;同时接入京东 `clawtip` A2A 支付服务。提供四项服务:查询汇率(免费)、计算兑换金额(免费)、汇率提醒服务(收费)、汇率涨跌概率查询(收费)。收...
⭐ 0· 79·0 current·0 all-time
by@oicqren
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (exchange rates + paid alerts via JD clawtip) align with included scripts: quote.py, convert.py, create_order.py, service.py and file_utils for order storage. Network access and reading order credentials are reasonable for the declared payment/fulfillment flows.
Instruction Scope
Runtime instructions tell the agent to run local Python scripts that call the configured base_url and store/read order files under the user's home. The skill accepts arbitrary 'question' JSON and sends it to /api/skill/create-order and /api/skill/fulfill on the base_url — so a misconfigured or malicious base_url could receive arbitrary user data. The SKILL.md documents INKRATE_SKILL_BASE_URL but does not mention the OPENCLAW_ORDER_ROOT env var used by file_utils to change the order storage path.
Install Mechanism
No install spec or external downloads; this is instruction + embedded Python scripts. No remote installers or archive extraction observed. Risk from install mechanism is low.
Credentials
The skill declares no required env vars but supports INKRATE_SKILL_BASE_URL (documented) and implicitly supports OPENCLAW_ORDER_ROOT (not documented). Allowing base_url to be overridden lets network calls send user question/payload data to any host (normalize_base_url only validates URL syntax, it does not enforce the SUPPORTED_PUBLIC_BASE_URLS whitelist present in code). 'credential.read' permission in metadata is consistent with reading stored order payment credentials, but users should note order files may contain sensitive payment credentials.
Persistence & Privilege
always=false; no elevation or modification of other skills. The skill writes/reads order files under a per-skill order directory in the user's home (or OPENCLAW_ORDER_ROOT), which is expected for persisting payment orders.
What to consider before installing
This skill appears to implement the exchange-rate and paid-payment workflow it describes, but pay attention before installing:
- Base URL risk: by default it calls https://rate.feedai.cn, but you can override INKRATE_SKILL_BASE_URL (or put a different base_url in config.yaml). If you point that to an untrusted host, the skill will send user-provided 'question' JSON and order info to that host — do not set it to unknown servers.
- Order files: the skill saves payment/order data under ~/.openclaw/skills/orders/<indicator> by default (or to a directory you can override with OPENCLAW_ORDER_ROOT). Those JSON files may contain payment credentials; inspect them and secure the directory.
- Undocumented env var: OPENCLAW_ORDER_ROOT is honored by the code but not documented in SKILL.md; be aware of that override.
- Whitelist not enforced: runtime_config contains SUPPORTED_PUBLIC_BASE_URLS but the code does not enforce it; the base_url override is only syntactically validated. If you require a strict whitelist, review/patch the code to enforce it before use.
- Payments: paid flows use JD clawtip and may require mobile verification — follow the claimed three-stage flow and do not bypass steps. Review the scripts yourself before use or run them in a restricted/sandboxed environment if you have any doubt.Like a lobster shell, security has layers — review code before you run it.
latestvk977wk9s2yww7wa58gxhtvkyx584sgp2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.