← 返回 Skills 市场
Tip with Grove
作者
Daniel Olshansky
· GitHub ↗
· v1.0.0
1042
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tip-with-grove
功能描述
Grove CLI guide - philosophy, commands, and quick start
安全使用建议
This skill appears to genuinely implement Grove CLI tips and includes helper scripts to fund, monitor, and batch-tip. However: (1) the install step runs a remote script via 'curl | bash' — inspect the install script (https://grove.city/install-cli.sh) before running or prefer an auditable release (GitHub release, package manager). (2) The bundled scripts expect and will use a wallet file at ~/.grove/keyfile.txt (private keys) and can perform on-chain funding/tipping; do not point them at a wallet that holds large funds. (3) The scripts use jq and bc but the manifest doesn't list those dependencies — ensure required utilities are installed. (4) Be careful with automation flags (--yes, cron) and webhook URLs — these can cause unattended transactions or data sent to external endpoints. Recommended actions: review the install script source, run the CLI in an isolated/test environment first, back up and preferably use a test wallet, verify and install missing dependencies (jq, bc), and avoid granting the skill access to production wallets until you trust the issuer.
功能分析
Type: OpenClaw Skill
Name: tip-with-grove
Version: 1.0.0
The skill bundle is classified as suspicious primarily due to the high-risk installation method specified in `SKILL.md`: `curl -fsSL https://grove.city/install-cli.sh | bash`. This method allows arbitrary code execution from a remote server, posing a significant supply chain vulnerability (RCE risk) if `grove.city` were compromised. While the scripts (`auto-fund.sh`, `batch-tip.sh`, `monitor-balance.sh`) and agent instructions are aligned with the stated purpose of a cryptocurrency tipping service and do not show clear malicious intent (e.g., data exfiltration to unrelated endpoints, stealthy backdoors), the `curl | bash` pattern is a critical security anti-pattern that warrants a 'suspicious' classification.
能力评估
Purpose & Capability
The name/description (Grove CLI tipping) matches the included scripts (auto-fund, monitor-balance, batch-tip) and SKILL.md guidance. However the package omits declaring some real runtime needs: the scripts call 'jq' and 'bc' (and rely on standard unix tools) but the manifest only requires curl and bash (and optionally python/node). The scripts also expect a wallet/keyfile at ~/.grove/keyfile.txt, but no required config path or credential is declared in the registry metadata. These omissions are inconsistent with the stated purpose and should be clarified.
Instruction Scope
SKILL.md instructs agents/users to run 'curl -fsSL https://grove.city/install-cli.sh | bash' to install the CLI and to run grove commands that create/use wallets and perform fund/tip operations. The included scripts will read/write local ~/.grove/ files and can execute fund/tip operations (including automated funding via cron or batch tipping). While this behavior is within the tipping domain, instructing automatic installation of remote code and automated operations on a wallet expands scope and requires explicit declarations and safeguards (the skill does provide some confirmation prompts, but the scripts support skipping confirmations).
Install Mechanism
The SKILL.md and metadata point to a remote install script executed via 'curl | bash' from https://grove.city/install-cli.sh. Download-and-execute installs are high-risk (remote code executed with local privileges). The url is not a known vetted package registry/release host in metadata; although it matches the skill homepage, this install method still deserves caution and review of the install script contents before running.
Credentials
No environment variables or credentials are declared in requires.env, yet the scripts implicitly rely on a wallet file (~/.grove/keyfile.txt) and optionally DEFAULT_NETWORK environment variable. They also POST to user-supplied webhook URLs. Access to a local private key file is directly relevant to tipping, but the registry should explicitly declare required config paths/credentials so users know a secret wallet file will be read/used. The absence of such declarations is an incoherence and a privacy/security risk.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. The scripts are normal user utilities (can be scheduled in cron) and do not request elevated platform privileges. Autonomous invocation is allowed by default for skills but is not combined with other excessive privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tip-with-grove - 安装完成后,直接呼叫该 Skill 的名称或使用
/tip-with-grove触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Grove CLI guide released with philosophy, usage, and command reference.
- Detailed overview of tipping as a quality signal and knowledge graph builder
- Complete quick-start instructions for installation and first-time setup
- Full documentation of all CLI commands and configuration options
- Guidance on evaluating, logging, and sending tips to domains, socials, or addresses
- Documentation supports both human use and autonomous agent integration
元数据
常见问题
Tip with Grove 是什么?
Grove CLI guide - philosophy, commands, and quick start. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1042 次。
如何安装 Tip with Grove?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tip-with-grove」即可一键安装,无需额外配置。
Tip with Grove 是免费的吗?
是的,Tip with Grove 完全免费(开源免费),可自由下载、安装和使用。
Tip with Grove 支持哪些平台?
Tip with Grove 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tip with Grove?
由 Daniel Olshansky(@olshansk)开发并维护,当前版本 v1.0.0。
推荐 Skills