← 返回 Skills 市场
Exchange Rates
作者
mrInvincible29
· GitHub ↗
· v1.0.1
3763
总下载
0
收藏
10
当前安装
2
版本数
在 OpenClaw 中安装
/install exchange-rates
功能描述
Fetch live exchange rates between any currency pairs from XE.com. Use when: user asks about currency conversion, exchange rates, forex rates, or converting a...
使用说明 (SKILL.md)
Exchange Rates (XE.com)
Fetch live mid-market exchange rates from XE.com via headless browser.
Usage
node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs \x3CFROM> \x3CTO> [AMOUNT]
Examples:
node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs USD INR # 1 USD → INR
node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs EUR USD 500 # 500 EUR → USD
node ~/clawd/skills/exchange-rates/scripts/xe-rate.mjs THB INR 1000 # 1000 THB → INR
Output: JSON with amount, from, to, rate, converted, source, timestamp
Response Format
Present results cleanly:
- Show the converted amount prominently
- Include the unit rate (1 FROM = X TO)
- Mention source is XE.com mid-market rate
- For amounts > 1, show both unit rate and total conversion
Notes
- Uses Playwright + Browserless (CDP) to scrape XE.com
- Falls back to exchangerate-api.com if XE fails
- Currency codes: standard 3-letter ISO 4217 (USD, INR, EUR, GBP, THB, JPY, etc.)
- Rates are mid-market (not buy/sell spreads)
- Script takes ~4-5 seconds per lookup (browser overhead)
安全使用建议
This skill appears to perform XE scraping with a Playwright browser and an API fallback, but there are red flags you should address before installing:
- The script hard-codes a CDP websocket URL including a token (ws://localhost:7002?token=...). Ask the author why a local CDP endpoint and token are required, where that token comes from, and why it isn't declared as a required service or env var.
- A local CDP connection can give the skill access to any browser context on that service (cookies, sessions, localStorage). Only run this skill in a controlled/sandboxed environment where no sensitive browser sessions are exposed.
- The manifest does not declare dependencies (playwright-core, Node fetch availability) or installation steps. Confirm platform provides Playwright and a compatible browser/CDP, or update the skill to declare/install them.
- Prefer removing embedded tokens; if a token is required, it should be supplied via a documented env var or config (and treated as a secret).
If you need this functionality, ask the publisher for an updated manifest that documents required services/dependencies and explains the CDP endpoint/token. If you cannot get that, run the skill in an isolated environment or decline installation.
功能分析
Type: OpenClaw Skill
Name: exchange-rates
Version: 1.0.1
The skill is classified as suspicious due to a hardcoded CDP token (`ec546a08aed110e96f64cc645bdb58fa8829a63349d6ae53`) in `scripts/xe-rate.mjs` which is a security weakness. Additionally, the `scripts/xe-rate.mjs` script directly uses `process.argv` inputs (currency codes, amount) without explicit sanitization, which, depending on the agent's command execution mechanism, could lead to shell injection vulnerabilities. These are significant security flaws, but there is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
能力评估
Purpose & Capability
The skill's purpose (fetch XE exchange rates) matches the included script which uses a headless browser and a fallback API. However, the metadata declares no dependencies or install steps while the script imports 'playwright-core' and expects a browser/CDP service — those runtime requirements are omitted from the skill manifest.
Instruction Scope
SKILL.md and the script scope are limited to scraping XE.com and falling back to an external API, which is appropriate. However the script attempts to connect to a hard-coded CDP websocket (ws://localhost:7002?token=...) — connecting to a local/debugging browser endpoint can expose authenticated browser state (cookies, localStorage) and enables arbitrary page navigation/execution, which is a sensitive capability not documented in SKILL.md.
Install Mechanism
No install spec is provided (instruction-only), but the script requires Playwright and a local CDP endpoint. The lack of an install step or declared runtime dependencies is a packaging/manifest inconsistency (may break at runtime or hide required privileged services).
Credentials
The skill requests no environment variables, yet contains a hard-coded CDP URL with an embedded token in source. Embedding a token in code is unexpected and may be inappropriate; the script also reaches out to an external fallback API (open.er-api.com). The credential-like token is not documented or explained in the metadata.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configs, and is user-invocable only. It does not request persistent installation privileges in the manifest.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install exchange-rates - 安装完成后,直接呼叫该 Skill 的名称或使用
/exchange-rates触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Expanded description to clarify intended use cases and when not to use the skill (e.g. for stock/crypto/financial market queries).
- Added examples of what kinds of user queries the skill supports.
- Explicitly noted expected JSON output and how to present results.
v1.0.0
Initial release: XE.com mid-market rates via Playwright, free API fallback, any currency pair
元数据
常见问题
Exchange Rates 是什么?
Fetch live exchange rates between any currency pairs from XE.com. Use when: user asks about currency conversion, exchange rates, forex rates, or converting a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3763 次。
如何安装 Exchange Rates?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install exchange-rates」即可一键安装,无需额外配置。
Exchange Rates 是免费的吗?
是的,Exchange Rates 完全免费(开源免费),可自由下载、安装和使用。
Exchange Rates 支持哪些平台?
Exchange Rates 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Exchange Rates?
由 mrInvincible29(@mrinvincible29)开发并维护,当前版本 v1.0.1。
推荐 Skills