← 返回 Skills 市场
ConvoYield
作者
John DeVere Cooley
· GitHub ↗
· v1.0.0
406
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install opencrawl
功能描述
Conversational Yield Optimization Engine — treats every bot conversation as a yield-bearing financial instrument. Five zero-cost engines detect sentiment arb...
安全使用建议
This package is inconsistent with its README/skill metadata: it advertises 'zero dependencies' and 'local-only', yet contains a cloud server, telemetry that can POST analytics, Stripe/billing hooks, and code that will create a local DB. Before installing or running: 1) Inspect convoyield/__init__.py and orchestrator to see whether telemetry is instantiated automatically; search the repo for uses of the Telemetry class and for outbound network calls (urllib.request.urlopen / Request). 2) Do not run 'server' on a public host without auditing env vars (STRIPE_*, DATABASE_URL) and confirming you want a locally hosted API and dashboard. 3) Run in an isolated environment (fresh venv or container) and avoid supplying secrets (Stripe keys, DB credentials) until you understand billing behavior. 4) If you only want the local analyzer, search for and disable telemetry (look for Telemetry(...) calls or an ENABLE_TELEMETRY toggle) or modify code to prevent any network calls. 5) If possible, ask the author or check the repo README for explicit notes about telemetry defaults and the intended offline mode. These steps will reduce the risk of accidental data transmission or unwanted persistent resources.
功能分析
Type: OpenClaw Skill
Name: opencrawl
Version: 1.0.0
The skill bundle is classified as suspicious due to significant discrepancies between its advertised capabilities and its actual implementation, constituting a form of prompt injection against the AI agent. The `SKILL.md` and `README.md` explicitly claim 'Zero external dependencies' and 'Zero API calls', yet the code includes a full 'ConvoYield Cloud' API server (`cloud/server.py`) with external dependencies (FastAPI, Uvicorn, Pydantic, Psycopg2, Stripe) and a telemetry client (`cloud/telemetry.py`) that sends 'anonymized yield data' (business intelligence derived from conversations) to a configurable endpoint, including an API key. Furthermore, a P2P networking stack (`convoyield/coin/network/node.py`) is present, enabling arbitrary network connections, which is completely undisclosed in the documentation. The local server and configurable webhook functionality also introduce potential risks for SSRF or data exfiltration if the agent is instructed to run these components with malicious parameters.
能力评估
Purpose & Capability
SKILL.md promises 'Zero external dependencies', 'Zero API calls', and purely local analysis, but the repository contains a FastAPI cloud server, Stripe billing integration, PostgreSQL/Postgres client code (psycopg2), a telemetry phone‑home module, and other subsystems (web dashboard, webhooks, ConvoCoin/token code). Those components are not necessary for a simple local conversation analyzer and contradict the advertised 'zero infrastructure' claim.
Instruction Scope
The runtime instructions (SKILL.md) instruct local use, but the codebase includes a telemetry sender that can POST aggregated analytics to a server, a CLI that can register API keys with a server, and a cloud server that stores telemetry and manages keys and billing. SKILL.md does not disclose these network/db/billing behaviors or when/if telemetry is enabled, creating scope creep and potential data exfiltration risk if the telemetry is used.
Install Mechanism
There is no install spec (instruction-only from the registry), which reduces installer risk. However, the repository contains many Python modules that import optional third‑party packages (fastapi, stripe, psycopg2, uvicorn). Running server/CLI features will require installing those packages and may write files to disk (e.g., ~/.convoyield/analytics.db). No external download URLs or archive extraction were found in the install metadata.
Credentials
The skill declares no required env vars, but code references multiple environment variables (DATABASE_URL, CONVOYIELD_DB, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_*, BASE_URL, etc.). Those env vars permit database connections and billing/payment configuration; requesting or using them is disproportionate to the SKILL.md claim of a self-contained local analyzer and is not documented in the SKILL.md metadata.
Persistence & Privilege
The skill does not set always:true and is user-invocable (normal). Still, runtime components can create persistent state (SQLite at ~/.convoyield/analytics.db by default), run an HTTP server exposing endpoints, and manage API keys/billing. Running the CLI/server will open network ports and create local persistent data which increases blast radius if misconfigured; this is not documented in SKILL.md.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install opencrawl - 安装完成后,直接呼叫该 Skill 的名称或使用
/opencrawl触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
ConvoYield 是什么?
Conversational Yield Optimization Engine — treats every bot conversation as a yield-bearing financial instrument. Five zero-cost engines detect sentiment arb... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 406 次。
如何安装 ConvoYield?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install opencrawl」即可一键安装,无需额外配置。
ConvoYield 是免费的吗?
是的,ConvoYield 完全免费(开源免费),可自由下载、安装和使用。
ConvoYield 支持哪些平台?
ConvoYield 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(macos, linux, windows)。
谁开发了 ConvoYield?
由 John DeVere Cooley(@jcools1977)开发并维护,当前版本 v1.0.0。
推荐 Skills