XPR Crypto Tax

Generate detailed crypto tax reports for XPR Network activity with support for New Zealand and United States regional tax rules and cost basis methods.

This skill appears to implement the advertised crypto-tax functionality, but there are transparency issues you should address before installing: - Expect the skill to call external APIs (Saltant, Metal X, Hyperion, CoinGecko) and to upload report files (PDF + CSVs) as part of its normal workflow. Confirm you trust the platform's store_deliverable and xpr_deliver_job endpoints and any third-party URLs used for delivery. Uploading CSVs means financial and transaction data will be transmitted off the agent environment. - The code reads COINGECKO_API_KEY (optional) and RATE_CACHE_PATH even though the manifest does not list these env vars. If you provide a CoinGecko key, verify it is scoped appropriately; if you do not, the skill falls back to limited/no-key behavior. - By default the skill will create a data/rate-cache.json in the agent working directory. If you prefer to control where files are written, set RATE_CACHE_PATH to a safe location (or make the skill's working directory read-only) and audit the cache file contents policy. - Review the bundled dist/index.js (included) yourself or ask the publisher for a provenance statement. The included code is not obviously malicious, but the manifest omissions (env/config) and mandatory multi-file upload step are non-trivial and warrant caution. - If you want to proceed: run the skill with non-sensitive test data first, confirm the exact endpoints used for uploads/delivery, and consider providing a throwaway CoinGecko key or limiting the RATE_CACHE_PATH to a directory you control. If the publisher can update the manifest to declare COINGECKO_API_KEY and RATE_CACHE_PATH (and describe their use), that would increase transparency and reduce risk.

Type: OpenClaw Skill Name: xpr-tax Version: 1.0.0 The OpenClaw skill 'xpr-tax' is classified as benign. Its primary function is crypto tax reporting, which it performs by querying legitimate public APIs (Saltant, Metal X, CoinGecko) for account balances, DEX trades, and on-chain transfers. It processes this data to calculate gains/losses and generate a tax report in Markdown and CSV formats. The skill accesses `process.env.COINGECKO_API_KEY` for API authentication, which is a standard and expected practice. Crucially, the `dist/index.js` file (the executable code) does not contain any file system operations (e.g., for persistent caching), unlike the provided `src/index.ts`. The `SKILL.md` instructions are clear, align with the stated purpose, and do not exhibit any prompt injection attempts or instructions for unauthorized actions. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, or malicious obfuscation.