ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Swap

v1.3.0

Lightning-fast crypto swaps. 240+ coins, best rates, done in minutes. Chat, CLI, or web — however you prefer.

0· 114·0 current·0 all-time
by@yoyoemily
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (crypto-swap), SKILL.md instructions, and included JS/UI files all align with a command-line + web UI crypto swap tool backed by LightningEX API. However, registry metadata shows no homepage/source while README and SKILL.md claim a GitHub repo (https://github.com/yoyoemily/crypto-swap) — this mismatch is unexpected and worth verifying.
Instruction Scope
Runtime instructions are limited to installing and running the crypto-swap binary (npm install -g crypto-swap, run crypto-swap commands, launch UI). The included front-end code only contacts api.lightningex.io for currency lists, pair info, rates, and order operations — behavior consistent with the described purpose and not asking the agent to read unrelated local files or secrets.
Install Mechanism
Install uses npm (package: crypto-swap) which is a common mechanism for CLIs but has moderate risk because npm packages can include postinstall scripts and arbitrary code. No install URL or pinned release host is provided in the registry metadata. Given the missing homepage/source in the registry, verify the npm package content and package.json (postinstall scripts, dependencies, binaries) before global installation.
Credentials
The skill declares no required environment variables, no config paths, and no credentials. The front-end makes network calls to api.lightningex.io (expected for a swap service). There are no hidden requests for unrelated secrets or access to other services in the provided files.
Persistence & Privilege
The skill is not forced-always, does not request elevated system-wide privileges in metadata, and its install is the normal global npm CLI pattern. It does not declare modifications to other skills or system agent settings in the provided materials.
What to consider before installing
This package appears to implement a crypto swap CLI and web UI that talks to the LightningEX API — that is consistent with its description. However, the registry entry lacks a verified homepage/source despite README claims of a GitHub repo, and npm packages can execute arbitrary code at install time. Before installing or running this skill: 1) Verify the package on the npm registry and that the repository (github.com/yoyoemily/crypto-swap) exists and matches the published package; 2) Inspect package.json for postinstall scripts and review source (swap.js and package dependencies) locally; 3) Prefer installing in a sandbox or container (not with sudo globally) to inspect behavior; 4) When using the UI/CLI, expect network calls to api.lightningex.io — do not supply private keys or secrets to the tool; 5) If you plan to move real funds, cross-check the service reputation and endpoint TLS fingerprints, and consider using a small test transaction first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjqr45xypmv3q7p98v299w583h14f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscrypto-swap

Install

Install Crypto Swap CLI (npm)
Bins: crypto-swap
npm i -g crypto-swap

Comments