← 返回 Skills 市场

cn-math-calculator

Name: cn-math-calculator
Author: freedompixels

作者 freedompixels · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cn-math-calculator

功能描述

数学表达式计算器。支持四则运算、科学函数(sin/cos/tan/log/sqrt)、常量(pi/e)、单位换算。安全求值不使用eval，纯Python标准库，无需API Key。

使用说明 (SKILL.md)

cn-math-calculator

数学表达式计算器。支持基本运算、科学计算。

功能

四则运算 + - * / ^(幂) %(取模)
科学函数：sin, cos, tan, log, sqrt, abs
常量：pi, e
表达式安全求值（不使用eval）
纯本地处理，无需API

使用方法

python3 scripts/math_calculator.py "2+3*4"
python3 scripts/math_calculator.py "sqrt(144)"
python3 scripts/math_calculator.py "sin(pi/2)"

示例

输入：2+3*4 → 输出：结果: 14.0

安全使用建议

This skill is consistent with its stated purpose, but exercise caution before using it on untrusted or security-sensitive systems. The script uses eval() after transforming the input; although builtins are cleared and a restricted namespace is provided, the implementation has two practical concerns: - Correctness risk: it replaces the character 'e' with Euler's constant (string replace), which will break scientific notation like "2e3" and may silently produce incorrect results. - Safety/abuse risk: eval() is used (even with restricted globals). The allowed-character check still permits '.' and '_' which enable attribute access in expressions; while other syntactic elements (like brackets) are disallowed, subtle attack vectors or future code changes could expand risk. Recommendations before installing or invoking broadly: - If you control the code: replace eval-based evaluation with a proper parser (for example a dedicated expression parser or an AST-based whitelisting evaluator). Avoid global replacement of single letters for constants; parse tokens instead. - If you don't control the code: test edge cases (e.g., "2e3", complex inputs), run the script in an isolated environment, and avoid exposing it to untrusted user input or enabling the skill as always-on. - If you need a high-assurance calculator, prefer implementations that use a grammar-based parser or safe-eval libraries and have been audited. Confidence is medium because the script is mostly coherent, but the use of eval and the 'e' replacement are concrete, non-trivial issues that justify a cautious classification.

功能分析

Type: OpenClaw Skill Name: cn-math-calculator Version: 1.1.0 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability and misleading documentation. Although SKILL.md explicitly claims the tool does not use 'eval', the implementation in scripts/math_calculator.py uses eval() to process mathematical expressions. The input validation regex allows characters like '.' and '_', which are sufficient to perform Python attribute access (e.g., __class__) and bypass the intended sandbox, potentially allowing arbitrary code execution. While there is no clear evidence of intentional malice or exfiltration, the contradiction between the documentation and the insecure code is a significant red flag.

能力标签

requires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name/description, SKILL.md, and the included Python script all align: a local math expression evaluator with unit conversion, no external APIs or credentials required.

⚠ Instruction Scope

Runtime instructions simply invoke the included script (python3 scripts/math_calculator.py "...") which matches the stated purpose. However, the script uses eval() on a transformed user string. Although builtins are removed and a restricted namespace is provided, the code permits '.' and '_' in expressions and performs global text replacements (notably replacing 'e' with the numeric constant), which can break legitimate numeric forms (e.g., scientific notation like 2e3) and may enable unexpected attribute-access expressions. This expands scope beyond pure arithmetic in ways that are risky.

✓ Install Mechanism

Instruction-only skill with no install spec and only a local Python script; nothing is downloaded or installed from external sources.

✓ Credentials

No environment variables, credentials, or config paths are requested — proportional for a local calculator.

✓ Persistence & Privilege

Skill is not always-on and does not request special persistence or modify other skills or system settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cn-math-calculator
安装完成后，直接呼叫该 Skill 的名称或使用 /cn-math-calculator 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

- Added skill metadata block with name, description, scope, install, and handler details. - Updated usage instructions to use a command-line script: python3 scripts/math_calculator.py "<表达式>". - Clarified supported features and removed unit conversion example from main usage. - Simplified and updated feature list and usage examples. - Now highlights use of only the Python standard library and local processing.

v1.0.0

- 初始版本发布：支持中文数学表达式和单位换算计算。 - 支持基本运算、科学函数（如 sin、cos、sqrt）、常用常量（pi, e）。 - 实现长度、重量、温度、面积的双向单位换算。 - 表达式安全求值，无需外部依赖或API。 - 纯本地运行，兼容 Python 3.6+。

元数据

Slug cn-math-calculator

版本 1.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题