ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx exchangerate

v1.0.0

Simple currency exchange rates — all rates for a base currency or a direct pair lookup via open.er-api.com

0· 85·0 current·0 all-time
byBruce Gutman@b-gutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for b-gutman/pipeworx-exchangerate.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx exchangerate" (b-gutman/pipeworx-exchangerate) from ClawHub.
Skill page: https://clawhub.ai/b-gutman/pipeworx-exchangerate
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-exchangerate

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-exchangerate
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim a lightweight exchange-rate lookup from open.er-api.com which matches the skill's scope. However, the runtime example and MCP config show requests going to gateway.pipeworx.io (a proxy/gateway) and an npx-based mcp-remote command, which is not mentioned in required binaries. It's plausible the pack proxies open.er-api.com via Pipeworx, but the mismatch between claimed data source and actual endpoint and the undeclared npx dependency is inconsistent.
Instruction Scope
SKILL.md provides only curl examples that post JSON-RPC to gateway.pipeworx.io and an MCP config that runs 'npx mcp-remote'. The instructions do not ask the agent to read local files or credentials. The main scope issue is that network calls are routed through a third-party gateway (Pipeworx) rather than directly to open.er-api.com, which changes data flow and privacy assumptions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes direct install risk. No archives or external downloads are instructed by the SKILL.md itself.
!
Credentials
No environment variables or credentials are requested (good). But the MCP config references 'npx' (and an npm package mcp-remote) while required binaries list only curl. If the agent were to follow the MCP config, it implicitly requires npx/node/npm — an undeclared credential/installation requirement and a proportionality gap.
Persistence & Privilege
always is false and there are no config paths or persistent hooks requested. The skill does not ask to modify other skills or system-wide settings.
What to consider before installing
This pack appears to provide simple exchange-rate lookups, but note two things before installing: (1) the example calls a Pipeworx gateway (gateway.pipeworx.io) rather than directly contacting open.er-api.com — queries will pass through that third-party proxy, which may log or alter requests/responses; review Pipeworx's privacy/security practices if that matters. (2) The MCP config expects 'npx mcp-remote', but the skill only declares curl as a required binary — if you plan to use the MCP config you'll need node/npm/npx available, which the skill didn't declare. If you prefer avoiding a proxy, consider calling open.er-api.com directly. If you proceed, avoid sending any sensitive data in calls and verify the gateway endpoint is trusted.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💵 Clawdis
Binscurl
latestvk972387dwxsqtr3cty0hpb6fb584f5tx
85downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

ExchangeRate API

A lightweight exchange rate service. Get all rates for a base currency in one call, or fetch a specific currency pair. Uses data from open.er-api.com with rates updated daily.

Tools

  • get_rates — All exchange rates relative to a base currency (e.g., "USD" returns rates for EUR, GBP, JPY, and 150+ others)
  • get_pair — Direct exchange rate between two specific currencies

Differs from the exchange pack

This pack is simpler — no historical rates or amount conversion, just current rates. Use this when you need a quick rate check or a full rate table. Use the exchange pack when you need conversion math or historical data.

Example: USD rates

curl -s -X POST https://gateway.pipeworx.io/exchangerate/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_rates","arguments":{"base":"USD"}}}'

MCP config

{
  "mcpServers": {
    "pipeworx-exchangerate": {
      "command": "npx",
      "args": ["-y", "mcp-remote@latest", "https://gateway.pipeworx.io/exchangerate/mcp"]
    }
  }
}

Comments

Loading comments...