Back to skill
Skillv1.0.0
ClawScan security
Currency Exchange Rate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 12:33 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (fetching exchange rates from exchangerate-api.com), request no credentials, perform only straightforward HTTPS calls, and contain no obvious scope creep or suspicious behavior.
- Guidance
- This skill appears coherent and low-risk: it runs a small Python script that makes HTTPS requests to exchangerate-api.com and prints exchange rates. Before installing, consider that the skill will make outbound network requests (so it requires network access) and depends on a third‑party API (rate limits and availability apply). If you require provenance, note the skill has no homepage/source URL in the metadata — if you need an auditable origin or long‑term maintenance guarantees, ask the publisher for a repository or verify the owner identity.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md instructions, and the included script all align: they fetch rates from exchangerate-api.com and perform conversions. No unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- okRuntime instructions are limited to running the included Python script with commands like convert/rate/list. The script only performs outbound HTTPS GET requests to the declared API and prints results; it does not read local secrets, files, or other system state.
- Install Mechanism
- okThere is no install spec. The skill is instruction-only with a single Python script included; nothing is downloaded at install time and no archives or external installers are used.
- Credentials
- okThe skill requires no environment variables or credentials. The included code does not access any undeclared env vars or secret material.
- Persistence & Privilege
- okThe skill is not marked 'always', does not modify other skills or system configs, and does not request persistent privileges. It can make outbound network calls when invoked, which is expected for its purpose.