← 返回 Skills 市场

Expanso keyword-extract

Name: Expanso keyword-extract
Author: aronchick

作者 Expanso · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

909

总下载

当前安装

版本数

在 OpenClaw 中安装

/install expanso-keyword-extract

功能描述

Extract keywords and key phrases from text using Expanso Edge for SEO, tagging, and indexing purposes.

使用说明 (SKILL.md)

keyword-extract

"Extract keywords and key phrases from text for SEO, tagging, and indexing"

Requirements

Expanso Edge installed (expanso-edge binary in PATH)
Install via: clawhub install expanso-edge

Usage

CLI Pipeline

# Run standalone
echo '\x3Cinput>' | expanso-edge run pipeline-cli.yaml

MCP Pipeline

# Start as MCP server
expanso-edge run pipeline-mcp.yaml

Deploy to Expanso Cloud

expanso-cli job deploy https://skills.expanso.io/keyword-extract/pipeline-cli.yaml

Files

File	Purpose
`skill.yaml`	Skill metadata (inputs, outputs, credentials)
`pipeline-cli.yaml`	Standalone CLI pipeline
`pipeline-mcp.yaml`	MCP server pipeline

安全使用建议

This skill runs Expanso pipelines that send your input text to an OpenAI model and also compute and emit an input_hash and trace metadata. Before installing: (1) Be aware that text you process may be sent to OpenAI — do not send sensitive data unless you are comfortable with that. (2) Provide an OPENAI_API_KEY only if you trust the key and account; note the skill's metadata marks the key optional even though the pipelines use it. (3) If you run MCP mode, the pipeline binds to 0.0.0.0 by default — run behind a firewall or bind to localhost to avoid exposing the endpoint. (4) If you need on-device privacy, investigate configuring a local backend (Ollama) instead of OpenAI, and verify the pipelines are adjusted accordingly. Finally, confirm you trust the expanso-edge/expanso-cli binaries referenced by the instructions before running them.

功能分析

Type: OpenClaw Skill Name: expanso-keyword-extract Version: 1.0.0 The skill is designed to extract keywords using an OpenAI LLM. It is classified as suspicious due to inherent prompt injection vulnerabilities. User input (`content()` in `pipeline-cli.yaml` and `this.text` in `pipeline-mcp.yaml`) is passed directly to the LLM as the 'user' message, and the `MAX_KEYWORDS` variable (user-controlled) is interpolated into the 'system' prompt. While there is no evidence of intentional malicious behavior like data exfiltration or unauthorized command execution, these direct inputs to the LLM create a risk of prompt injection, which is a significant vulnerability in LLM-based applications.

能力评估

ℹ Purpose & Capability

The declared purpose (keyword extraction) matches the provided pipelines and files. However, skill.yaml lists OPENAI_API_KEY as optional while both pipeline-cli.yaml and pipeline-mcp.yaml clearly require and use OPENAI_API_KEY for OpenAI completions. The skill also advertises local Ollama backends in metadata but the provided pipelines use the OpenAI processor. The mismatch between declared required credentials and the actual pipelines is an incoherence.

⚠ Instruction Scope

The SKILL.md and the pipelines instruct expanso-edge to: compute sha256(input) and other metadata, send the input text to OpenAI via openai_chat_completion, and (in MCP mode) listen on 0.0.0.0:${PORT} which exposes an HTTP endpoint if you run it. The skill logs trace_id and includes input_hash/input_length in outputs. Sending raw text to an external LLM and creating hashes of inputs are privacy-sensitive behaviors that are not highlighted in skill metadata; exposing an HTTP server on 0.0.0.0 can unintentionally accept external traffic.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code to write to disk. That lowers install-time risk. It does require the expanso-edge binary to be present (documented).

⚠ Credentials

Pipelines require OPENAI_API_KEY to function, but the skill metadata marks it as not required. No other credentials are requested. The skill also supports MAX_KEYWORDS via env and uses OPENAI_API_KEY in cleartext substitution in pipeline files — ensure you supply a key you trust and understand that the key will be used to send your text to OpenAI. The optional listing of local Ollama models is not enforced by the pipelines and could be misleading.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills' configs, and has no install step that persists additional privileged components. Running MCP mode will run a server but that is explicit in the docs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install expanso-keyword-extract
安装完成后，直接呼叫该 Skill 的名称或使用 /expanso-keyword-extract 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial publish

元数据

Slug expanso-keyword-extract

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题