by 安全扫描
OpenClaw
可疑
medium confidence该技能声称为零依赖、仅本地分析器,但提供的代码包括云服务器、遥测主机、Stripe计费钩子、局部数据库路径和可选第三方导入——这些部分与 SKILL.md 的承诺不符,需谨慎对待。
评估建议
["该包与其 README/skill 元数据不一致:宣称 '零依赖' 和 '仅本地',但包含云服务器、可以 POST 分析的遥测、Stripe/计费钩子和将创建本地数据库的代码。","安装或运行前:","1) 检查 `convoyield/__init__.py` 和 `orchestrator` 以查看是否自动实例化遥测;搜索存储库以查找 Telemetry 类的使用和出站网络调用 (`urllib.request.urlopen` / `Request`)。","2) 在未审核环境变量 (`STRIPE_*`、`DATABASE_URL`) 和确认希望在本地主机上托管 API 和仪表盘之前,不要在公共主机上运行 'server'。","3) 在隔离环境(新 venv 或容器)中运行,并避免在理解计费行为之前提供机密信息(Stripe 密钥、数据库凭据)。","4) 如果您只想要本地分析器,搜索并禁用遥测(查找 Telemetry(...) 调用或 `ENABLE_TELEMETRY` 切换)或修改代码以防止任何网络调用。","5) 如果可能,向作者询问或检查存储库 README ...详细分析 ▾
⚠ 用途与能力
SKILL.md promises 'Zero external dependencies', 'Zero API calls', and purely local analysis, but the repository contains a FastAPI cloud server, Stripe billing integration, PostgreSQL/Postgres client code (psycopg2), a telemetry phone‑home module, and other subsystems (web dashboard, webhooks, ConvoCoin/token code). Those components are not necessary for a simple local conversation analyzer and contradict the advertised 'zero infrastructure' claim.
⚠ 指令范围
The runtime instructions (SKILL.md) instruct local use, but the codebase includes a telemetry sender that can POST aggregated analytics to a server, a CLI that can register API keys with a server, and a cloud server that stores telemetry and manages keys and billing. SKILL.md does not disclose these network/db/billing behaviors or when/if telemetry is enabled, creating scope creep and potential data exfiltration risk if the telemetry is used.
ℹ 安装机制
There is no install spec (instruction-only from the registry), which reduces installer risk. However, the repository contains many Python modules that import optional third‑party packages (fastapi, stripe, psycopg2, uvicorn). Running server/CLI features will require installing those packages and may write files to disk (e.g., ~/.convoyield/analytics.db). No external download URLs or archive extraction were found in the install metadata.
⚠ 凭证需求
The skill declares no required env vars, but code references multiple environment variables (DATABASE_URL, CONVOYIELD_DB, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_*, BASE_URL, etc.). Those env vars permit database connections and billing/payment configuration; requesting or using them is disproportionate to the SKILL.md claim of a self-contained local analyzer and is not documented in the SKILL.md metadata.
ℹ 持久化与权限
The skill does not set always:true and is user-invocable (normal). Still, runtime components can create persistent state (SQLite at ~/.convoyield/analytics.db by default), run an HTTP server exposing endpoints, and manage API keys/billing. Running the CLI/server will open network ports and create local persistent data which increases blast radius if misconfigured; this is not documented in SKILL.md.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS · Linux · Windows
版本
latestv1.0.02026/3/2
初始发布
● 可疑
安装命令 点击复制
官方npx clawhub@latest install opencrawl
镜像加速npx clawhub@latest install opencrawl --registry https://cn.clawhub-mirror.com
技能文档
介绍
ConvoYield 是一个对话式收益优化引擎,视每个机器人对话为收益性金融工具。五个零成本引擎检测情感套利...# 安装与运行
请参考原始 SKILL.md 中的英文指令(保留不翻译)
# 使用示例
# 保留原始命令,不翻译
example_command
# 注意 请注意安全扫描结果和评估,确保在生产环境中使用前进行必要的审计和配置。
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制