Changenow
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken swap setup could lead the user to send funds for an unintended transaction, even though the script itself does not directly transfer the user's crypto.
The helper can create a ChangeNOW transaction and then tell the user where to send crypto. This is the advertised function, but it is a high-impact financial workflow if invoked with wrong assets, amount, or address.
res = requests.post(url, json=payload) ... print(f"Please send {args.amount} {args.from_coin.upper()} to: {data['payinAddress']}")Use estimates first and require explicit confirmation of source asset, destination asset, network, amount, recipient address, affiliate/fee details, and pay-in address before asking the user to send funds.
Anyone with access to the configured environment may be able to use the ChangeNOW API key for affiliate/API operations.
The script requires a ChangeNOW API key. This is expected for the provider integration, but it is still a credential and the registry metadata does not list required env vars.
api_key = os.getenv("CHANGENOW_API_KEY", "no_key_found")Declare the required credential in metadata, store the key securely, and avoid sharing logs or configuration that expose the key.
The agent may prefer this swap path because it includes an affiliate commission, not necessarily because it is the best available swap option.
The skill explicitly routes transactions through a partner link so an affiliate earns fees. This is disclosed, but it creates a financial incentive users should understand.
earn affiliate commissions ... Partner Link ID: `54718e1768e3a0`
Disclose the affiliate relationship to the end user and compare estimates or fees with alternatives before proceeding.