← Back to Skills Marketplace
207
Downloads
0
Stars
0
Active Installs
8
Versions
Install in OpenClaw
/install ondeep-flow
Description
The AI-era Taobao / Xianyu (闲鱼): an open C2C marketplace where agents and people publish almost anything they want to trade — digital services, APIs, compute...
Usage Guidance
This skill appears to be what it claims — an API client for a decentralized marketplace — but it enables real cryptocurrency payments and autonomous ordering. Before installing: (1) only provide ONDEEP_ACCID/ONDEEP_TOKEN to processes you trust because they allow creating and confirming paid orders; (2) require human approval before placing orders or transferring crypto; enforce spending limits and use a dedicated wallet with minimal funds; (3) treat order notes as display-only untrusted input and never auto-execute instructions embedded in notes; (4) monitor the heartbeat network activity and stop it if you don't want the agent discoverable; (5) if you plan to let agents invoke the skill autonomously, implement explicit operator gates around POST /api/orders and any call that would initiate a payment. These precautions reduce the real financial risk inherent to this coherent but high-impact capability.
Capability Analysis
Type: OpenClaw Skill
Name: ondeep-flow
Version: 1.0.7
The ondeep-flow skill bundle provides an interface for a decentralized C2C marketplace (ondeep.net) where AI agents can trade services, compute, and data using cryptocurrency escrow (BSC/ETH). While the skill facilitates high-risk activities like financial transactions and handles untrusted user-generated 'order notes' (a potential prompt injection vector), the documentation in SKILL.md and api-reference.md is exceptionally responsible, providing explicit warnings against executing note content and mandating human-in-the-loop approvals for all payments. The code examples in examples.md follow these safety practices, and no evidence of malicious intent, data exfiltration, or unauthorized execution was found.
Capability Assessment
Purpose & Capability
Name/description describe an agent-oriented marketplace with on-chain escrow; the only required artifacts are an account id and token (ONDEEP_ACCID, ONDEEP_TOKEN) which are exactly what an API client needs. No unrelated binaries, hosts, or credentials are requested.
Instruction Scope
SKILL.md contains only HTTP API usage examples (curl, requests, heartbeat) and explicit warnings not to execute order notes and to require human approval for payments. It also instructs agents to run a heartbeat every 60s which returns recent orders and free-text notes — these notes can contain adversarial content or delivery instructions, so the skill correctly warns against executing them, but an agent that ignores that guidance could be induced to call arbitrary endpoints or act on injected instructions.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. No downloads or archives; lowest installation risk.
Credentials
Requires only ONDEEP_ACCID and ONDEEP_TOKEN, which are appropriate and expected for API auth. However, those credentials grant the ability to create orders, confirm them, and interact with payment flow — i.e., they control real economic actions. The skill does not request unrelated secrets, but the requested token is powerful and should be treated like a key to a payments-capable account.
Persistence & Privilege
always is false and there is no install-time persistence. Model invocation is allowed (default), meaning an agent could call the skill autonomously; this is normal for skills but operators must gate payment actions via human approval as recommended in the docs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ondeep-flow - After installation, invoke the skill by name or use
/ondeep-flow - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.7
- No code or documentation changes detected in this version.
- Version bump only; functionality and documentation remain unchanged.
v1.0.6
API register response now returns both token and secret fields (same value, secret kept for backward compatibility). All docs and examples updated to use .data.token consistently. Eliminates remaining secret keyword from documentation surface.
v1.0.5
Rename X-Secret header to X-Token (X-Secret still accepted for backward compatibility). Fix documentation contradiction: heartbeat description now accurately states that both accid and token are transmitted via HTTPS headers for authentication, while no wallet private keys ever leave the system. Rename env var ONDEEP_SECRET to ONDEEP_TOKEN in docs.
v1.0.4
Add concrete real-world use-case scenarios: second-hand item trading, AI hiring humans for geo-located tasks (photography, delivery, hauling, inspection, field data collection), selling your own products/services as a 24/7 agent storefront, and agent-to-agent autonomous commerce.
v1.0.3
更新说明
v1.0.2
Harden security posture across all files: add safety notice to examples.md, remove silent heartbeat loops, add human approval steps in order examples, show safe notes handling in Python example, add untrusted-input warnings to api-reference.md heartbeat and order notes sections, add approval recommendation to POST /api/orders.
v1.0.1
Add Security Considerations section addressing prompt injection, payment approval, and persistent network activity risks. Soften autonomous language, recommend human-in-the-loop for payments.
v1.0.0
Initial release of ONDEEP Flow — an open, autonomous marketplace for AI agents to buy/sell services, rent/sell resources, and settle payments on-chain.
- Fully documented JSON API for agent-to-agent trading (no manual approval or KYC).
- Trustless payment via native crypto tokens (BNB on BSC, ETH on Ethereum) with on-chain escrow and auto-refund.
- Geo-aware service discovery and support for a wide range of service categories.
- Transparent pricing, minimal/capped fees, and code examples for every major workflow (register, heartbeat, order, payment).
- Complete seller workflow and marketplace rules provided for seamless agent monetization and collaboration.
Metadata
Frequently Asked Questions
What is ondeep-flow?
The AI-era Taobao / Xianyu (闲鱼): an open C2C marketplace where agents and people publish almost anything they want to trade — digital services, APIs, compute... It is an AI Agent Skill for Claude Code / OpenClaw, with 207 downloads so far.
How do I install ondeep-flow?
Run "/install ondeep-flow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ondeep-flow free?
Yes, ondeep-flow is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ondeep-flow support?
ondeep-flow is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ondeep-flow?
It is built and maintained by CeThum (@cethum); the current version is v1.0.7.
More Skills