← Back to Skills Marketplace
718
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install xpr-tax
Description
Generate detailed crypto tax reports for XPR Network activity with support for New Zealand and United States regional tax rules and cost basis methods.
Usage Guidance
This skill appears to implement the advertised crypto-tax functionality, but there are transparency issues you should address before installing:
- Expect the skill to call external APIs (Saltant, Metal X, Hyperion, CoinGecko) and to upload report files (PDF + CSVs) as part of its normal workflow. Confirm you trust the platform's store_deliverable and xpr_deliver_job endpoints and any third-party URLs used for delivery. Uploading CSVs means financial and transaction data will be transmitted off the agent environment.
- The code reads COINGECKO_API_KEY (optional) and RATE_CACHE_PATH even though the manifest does not list these env vars. If you provide a CoinGecko key, verify it is scoped appropriately; if you do not, the skill falls back to limited/no-key behavior.
- By default the skill will create a data/rate-cache.json in the agent working directory. If you prefer to control where files are written, set RATE_CACHE_PATH to a safe location (or make the skill's working directory read-only) and audit the cache file contents policy.
- Review the bundled dist/index.js (included) yourself or ask the publisher for a provenance statement. The included code is not obviously malicious, but the manifest omissions (env/config) and mandatory multi-file upload step are non-trivial and warrant caution.
- If you want to proceed: run the skill with non-sensitive test data first, confirm the exact endpoints used for uploads/delivery, and consider providing a throwaway CoinGecko key or limiting the RATE_CACHE_PATH to a directory you control. If the publisher can update the manifest to declare COINGECKO_API_KEY and RATE_CACHE_PATH (and describe their use), that would increase transparency and reduce risk.
Capability Analysis
Type: OpenClaw Skill
Name: xpr-tax
Version: 1.0.0
The OpenClaw skill 'xpr-tax' is classified as benign. Its primary function is crypto tax reporting, which it performs by querying legitimate public APIs (Saltant, Metal X, CoinGecko) for account balances, DEX trades, and on-chain transfers. It processes this data to calculate gains/losses and generate a tax report in Markdown and CSV formats. The skill accesses `process.env.COINGECKO_API_KEY` for API authentication, which is a standard and expected practice. Crucially, the `dist/index.js` file (the executable code) does not contain any file system operations (e.g., for persistent caching), unlike the provided `src/index.ts`. The `SKILL.md` instructions are clear, align with the stated purpose, and do not exhibit any prompt injection attempts or instructions for unauthorized actions. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, or malicious obfuscation.
Capability Assessment
Purpose & Capability
Name/description (XPR crypto tax reporting for NZ/US) aligns with the code and SKILL.md: it calls on-chain APIs, parses DEX CSVs, computes gains, and generates reports. Requiring price data (CoinGecko) and on-chain APIs is reasonable for this purpose. However, the skill's package metadata lists no required env vars while the code relies on environment variables (COINGECKO_API_KEY, RATE_CACHE_PATH), which is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to fetch balances/trades/transfers, compute gains, and then upload a PDF and two CSVs and call a delivery job (xpr_deliver_job). That workflow is coherent for a reporting tool, but the instructions mandate uploading all files and making an external 'deliver' call in a single run — a behavior with data-exfiltration implications if endpoints or storage targets are untrusted. SKILL.md also claims 'all tools are read-only', but the code persists a local rate cache to disk (not strictly read-only).
Install Mechanism
No install spec is provided (instruction-only installation), which is low risk compared to arbitrary downloads. The package contains JS/TS source and a bundled dist file that will run on the platform — no external installers or unusual download URLs are present.
Credentials
skill.json declares no required environment variables, but the code reads process.env.COINGECKO_API_KEY (to enable expanded CoinGecko history) and process.env.RATE_CACHE_PATH (to override where a persistent JSON rate cache is stored). COINGECKO_API_KEY is expected for price history (reasonable), but its absence from manifest is an oversight. RATE_CACHE_PATH (default: ./data/rate-cache.json) means the skill will read/write files on disk; this file-write capability is disproportionate relative to the manifest which states no config paths. Lack of explicit env declaration reduces transparency and is a red flag.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. However, it maintains a persistent local JSON rate cache (writes to a data directory by default) which means it will create files under the agent's working directory. This is ordinary for caching but should be noted.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xpr-tax - After installation, invoke the skill by name or use
/xpr-tax - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
6 tools: balance snapshots, DEX trade history, transfer categorization, capital gains calculation, full tax reports with NZ regional support
v0.2.11
- Added SKILL.md with comprehensive documentation and usage instructions.
- Detailed workflow for generating crypto tax reports, supporting New Zealand and US regions.
- Included tables for transfer categorization, tax rules, and report delivery steps.
- Clarified regional differences (NZ/US tax years, capital gains treatment, rate sources).
- Documented known limitations and important operational notes for accurate reporting.
Metadata
Frequently Asked Questions
What is XPR Crypto Tax?
Generate detailed crypto tax reports for XPR Network activity with support for New Zealand and United States regional tax rules and cost basis methods. It is an AI Agent Skill for Claude Code / OpenClaw, with 718 downloads so far.
How do I install XPR Crypto Tax?
Run "/install xpr-tax" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is XPR Crypto Tax free?
Yes, XPR Crypto Tax is completely free (open-source). You can download, install and use it at no cost.
Which platforms does XPR Crypto Tax support?
XPR Crypto Tax is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created XPR Crypto Tax?
It is built and maintained by paulgnz (@paulgnz); the current version is v1.0.0.
More Skills