Exchange Rates
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform the advertised exchange-rate lookup, but it relies on local browser automation with an embedded localhost token and undeclared setup details.
This skill is reasonable for exchange-rate lookups, but install it only if you are comfortable with it contacting XE.com/open.er-api.com and connecting to a local Browserless service on port 7002. Verify that Playwright/Browserless and the embedded localhost CDP token are expected in your environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may drive a local headless browser and make network requests to XE.com when answering exchange-rate questions.
The skill controls a local browser automation endpoint to load XE.com. This is disclosed and purpose-aligned, but it is broader authority than a direct rate API call.
browser = await chromium.connectOverCDP(CDP_URL); ... await page.goto(url, { waitUntil: 'networkidle', timeout: 20000 });Use it only if local Browserless/Playwright automation is expected, and keep that browser service isolated from unrelated browsing sessions.
If a Browserless service is running on localhost:7002 with that token, the skill can access it for browser automation.
A token for a localhost Browserless/CDP endpoint is embedded in the script while metadata declares no primary credential. The code uses it only for the stated browser lookup, but the privilege should be visible to users.
const CDP_URL = 'ws://localhost:7002?token=ec546...';
Prefer a declared, user-configured endpoint/token and verify that this hard-coded localhost token is intended for your environment.
The skill may fail or rely on globally available packages/services that are not captured in the skill artifacts.
The included script depends on Playwright and a local browser service, but the supplied artifacts include no package manifest or install specification. This may affect reliability and reviewability.
import { chromium } from 'playwright-core';Add explicit install instructions or a package manifest/lockfile, and document the required local Browserless service.