技能详情(站内镜像,无评论)
作者:Wanrong He @azure-vision
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.4.22
统计:⭐ 1 · 775 · 2 current installs · 2 all-time installs
⭐ 1
安装量(当前) 2
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:azure-vision/caravo
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's declared purpose (a marketplace CLI) lines up with its requirements (Node + an API key + an npm CLI), but there are inconsistencies and operational risks — notably automatic wallet creation/payments and registry metadata mismatches — that warrant caution before installing or enabling it.
目的
Name and description match the required pieces: Node + an npm CLI package (@caravo/cli) + a CARAVO_API_KEY credential are all coherent for a marketplace/CLI integration. However the registry summary shows 'Required env vars: none' while the skill declares a primaryEnv of CARAVO_API_KEY, and the registry metadata provides no homepage though SKILL.md references caravo.ai and GitHub. These metadata inconsistencies should be resolved.
说明范围
The runtime instructions require running 'npx -y @caravo/cli@latest start' on first use, and the CLI will auto-generate a local wallet (~/.caravo/wallet.json) and handle micropayments automatically. That goes beyond mere data lookup: the skill can cause financial actions, create and store private keys locally, and proxy calls to many external services (email, SMS, scraping, model inference). Those behaviors are plausible for a marketplace but …
安装机制
Install is via a published Node package (@caravo/cli) which is a common, expected mechanism. NPM installs run untrusted code at install/run time; this is moderate risk but not unusual for a CLI. There is no direct download-from-URL or obscure host, which lowers risk. Because this skill is instruction-only, the npm package will be the executable code executed on first use — inspect the package and GitHub repo before trusting it.
证书
Requiring a CARAVO_API_KEY as the primary credential is reasonable for a marketplace, but the registry metadata's omission of required env vars conflicts with the SKILL.md's primaryEnv. More importantly, the CLI auto-generates and stores a local USDC wallet (wallet.json) which contains private keys used to pay providers; that file is a high-value secret on disk. The skill can therefore trigger spendable actions without provider-specific keys, …
持久
always:false (not forced into every agent) and no special system-wide privileges are requested. The skill does create and use files under ~/.caravo/, which is consistent with its stated wallet/config behavior. Note: default agent autonomy (disable-model-invocation:false) combined with the ability to make payments increases potential impact if the agent is allowed to act without human confirmation.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Caravo Service Marketplace」。简介:Caravo is the first service marketplace built for autonomous AI agents — featur…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/azure-vision/caravo/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。