BestChange
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: bestchange Version: 0.1.2 The skill provides a structured interface for an AI agent to query BestChange exchange rates via a hosted MCP server (bestchange-mcp.krutovoy.me). It defines clear tool protocols for searching currencies and retrieving ranked exchanger options, including instructions for handling errors and formatting responses. While the skill includes an affiliate ID (p=1341676) in referral links and reports failed tasks back to the developer for debugging, these behaviors are transparently documented and align with the stated purpose of a financial utility without exhibiting malicious intent or high-risk vulnerabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill means trusting the hosted MCP server to return accurate BestChange data and behave as described.
The skill depends on a hosted external MCP server rather than local reviewed code; this is disclosed and central to the skill's purpose.
This skill requires the hosted BestChange MCP server to be connected in the agent client.
Only connect the MCP endpoint if you trust the provider and verify important exchanger/rate information before acting on it.
The MCP provider can see the exchange assets, payout rails, amounts, and related query details you ask the agent to look up.
The agent sends BestChange search and quote requests to this hosted MCP endpoint, including exchange pair and amount details.
POST https://bestchange-mcp.krutovoy.me/mcp
Avoid including unnecessary personal information in exchange lookup requests, and review the provider's trustworthiness before use.
Failed or blocked requests may be stored outside the chat by the hosted service for debugging or product improvement.
The blocker-reporting tool may send and retain the user's original request for later analysis, which could include financial intent or transaction details.
`user_task` string, required. The user's original request. Why needed: preserves intent for later analysis.
Do not include sensitive personal identifiers or private account details in requests; providers should minimize and clearly document retention of blocker reports.