← 返回 Skills 市场

Exchange Rate

Name: Exchange Rate
Author: jaceymarvin99

作者 JaceyMarvin99 · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

461

总下载

当前安装

版本数

在 OpenClaw 中安装

/install exchange-rate-2

功能描述

Use when users need to query daily currency exchange rates between two currencies.

使用说明 (SKILL.md)

Exchange Rate Skill

This skill helps AI agents fetch daily currency exchange rates from the 60s API.

When to Use This Skill

Use this skill when users:

Ask for current exchange rates between two currencies.
Want to know the value of one currency in another.
Need the latest currency conversion rate.

How to Use

Execute the associated scripts/exchange_rate.sh script to fetch the exchange rate.

./scripts/exchange_rate.sh [options]

Options

--currency, -c \x3Ccurrency>: Optional. The base currency ISO 4217 code. Defaults to CNY.
--target, -t \x3Ctarget>: Optional. The target currency ISO 4217 code. Defaults to USD. If set to AAA, it returns all available exchange rates for the base currency.

Return Values

The script outputs the exchange rate value of the target currency relative to 1 unit of the base currency. If the target is AAA, it outputs the full JSON response containing all rates. If the target currency is not found, an error message is returned.

Usage Examples

# Get the exchange rate from CNY to USD (default)
./scripts/exchange_rate.sh

# Get the exchange rate from EUR to JPY
./scripts/exchange_rate.sh --currency EUR --target JPY

# Get all exchange rates for GBP
./scripts/exchange_rate.sh -c GBP -t AAA

安全使用建议

This skill appears to implement an exchange-rate lookup but has two practical red flags: (1) the included shell script requires curl and jq even though the manifest lists no required binaries — verify those tools will be available or update the skill declaration; (2) the script calls an undocumented third-party API (https://60s.viki.moe). Before installing or running it, review and validate that API endpoint (owner, privacy policy, reliability). If you plan to run the script, do so in a sandboxed environment, inspect the script thoroughly, and consider replacing the remote API with a known/trusted provider (or adding explicit configuration options).

功能分析

Type: OpenClaw Skill Name: exchange-rate-2 Version: 0.1.0 The `scripts/exchange_rate.sh` file contains a critical shell injection vulnerability. The `CURRENCY=$(echo "$CURRENCY" | tr '[:lower:]' '[:upper:]')` and `TARGET=$(echo "$TARGET" | tr '[:lower:]' '[:upper:]')` lines are susceptible to command injection. If user-provided input for `--currency` or `--target` contains shell command substitutions (e.g., `$(command)` or backticks), these commands will be executed when `echo` processes the string, leading to Remote Code Execution (RCE). The `SKILL.md` file instructs the AI agent to execute this script with user-controlled parameters, providing a direct vector for prompt injection to exploit this vulnerability.

能力评估

⚠ Purpose & Capability

The skill's name/description match its behavior (fetching exchange rates). However the manifest declares no required binaries or credentials while the included script clearly depends on curl and jq and performs network requests to a specific API host. Omitting those binary requirements is an incoherence.

ℹ Instruction Scope

SKILL.md instructs the agent to run scripts/exchange_rate.sh which issues an outbound HTTPS request to https://60s.viki.moe/v2/exchange-rate. The instructions do not warn about the network call or disclose the full API host, nor do they document expected JSON schema. The script does not read local files or secrets.

✓ Install Mechanism

No install spec is provided (instruction-only plus a script). Nothing is written to disk by an installer; risk is limited to running the included script.

ℹ Credentials

The skill declares no environment variables or credentials and the script does not request secrets. This is proportional. However the script makes outbound calls to an external API (unknown origin) which may expose query parameters; no credential access is requested.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system-wide settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install exchange-rate-2
安装完成后，直接呼叫该 Skill 的名称或使用 /exchange-rate-2 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

- Initial release of the exchange-rate skill. - Allows querying daily currency exchange rates between two currencies using the 60s API. - Provides a shell script (`exchange_rate.sh`) for fetching rates with configurable base and target currencies. - Supports retrieving all available exchange rates for a given base currency. - Includes clear usage instructions and examples.

元数据

Slug exchange-rate-2

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Exchange Rate 是什么？

Use when users need to query daily currency exchange rates between two currencies. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 461 次。

如何安装 Exchange Rate？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install exchange-rate-2」即可一键安装，无需额外配置。

Exchange Rate 是免费的吗？

是的，Exchange Rate 完全免费（开源免费），可自由下载、安装和使用。

Exchange Rate 支持哪些平台？

Exchange Rate 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Exchange Rate？

由 JaceyMarvin99（@jaceymarvin99）开发并维护，当前版本 v0.1.0。