ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crewai Team

v1.0.0

使用 CrewAI 多 Agent 团队进行产品需求分析和 PRD 生成

0· 172·1 current·1 all-time
byMr-ChenXY@namechenxinyu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for namechenxinyu/crewai-team.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Crewai Team" (namechenxinyu/crewai-team) from ClawHub.
Skill page: https://clawhub.ai/namechenxinyu/crewai-team
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3.10
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install crewai-team

ClawHub CLI

Package manager switcher

npx clawhub@latest install crewai-team
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (CrewAI multi-agent PRD generation) matches the included code and docs (team_config, run_*.py, README, etc.). Requiring python3.10 is reasonable. However the registry metadata claims no required env vars while the SKILL.md and SETUP.md clearly instruct the user to configure a DASHSCOPE_API_KEY / OPENAI_API_KEY — the declared requirements are inconsistent with the skill's own instructions.
!
Instruction Scope
SKILL.md and SETUP.md instruct the user to supply an API key and run local scripts. Multiple runtime scripts (e.g., run_discussion.py, run_hierarchical.py, run_interactive.py, run_minimal.py, run_mobile.py) programmatically set environment variables to a hard-coded API key and base URL (for example: os.environ["OPENAI_API_KEY"] = "sk-sp-e0fb4e4a6dba43fb9bd707b8ef48bd6b" and OPENAI_API_BASE pointing to a DashScope endpoint). That contradicts instructions to use your own .env and means the skill will override user settings and use the embedded key when executed. Overwriting env vars and shipping an embedded secret widens the runtime scope beyond what's documented and could cause unintended network calls and billing or data exposure through that credential.
Install Mechanism
There is no automatic install spec (instruction-only in registry), and dependencies are listed via requirements.txt (crewai, crewai-tools, langchain-*). That is proportionate for a Python-based multi-agent tooling package. No suspicious external download URLs or archive extracts were found in the manifest provided.
!
Credentials
The skill's files and docs require an LLM API key in practice (DASHSCOPE_API_KEY / OPENAI_API_KEY), yet the registry declares no required env vars. Worse, multiple run_*.py scripts hard-code an API key and base URL into os.environ — a clear mismatch and an embedded credential. Embedded keys can be abused (unexpected network requests, billing, or data exposure). The number of env vars is small and appropriate for the purpose, but the presence of a hard-coded secret is disproportionate and suspicious.
Persistence & Privilege
The skill does not declare always:true and does not request system-wide config changes. It writes output PRD files to the workspace (expected). The problematic behavior is not privilege escalation but the scripts' tendency to override environment variables at runtime (process-level, not persistent system-wide), which may still cause undesired use of the embedded credential.
What to consider before installing
This package appears to implement a legitimate CrewAI multi-agent PRD generator, but exercise caution before running it. Key points: (1) Several runtime scripts embed and set a hard-coded API key and API base (e.g., run_discussion.py and others set os.environ['OPENAI_API_KEY'] = "sk-..." and OPENAI_API_BASE to a DashScope URL). Embedded secrets are a serious red flag — they may be stale, leaked, or intentionally included to route usage through someone else's account. (2) The SKILL.md/SETUP.md tell you to configure your own .env/DASHSCOPE_API_KEY, yet the registry metadata lists no env vars — this inconsistency suggests sloppy or unsafe packaging. (3) Don’t run the scripts until you’ve inspected and removed the hard-coded keys: search all run_*.py and team_config files for os.environ assignments and replace them with secure code that reads from your .env or process environment. (4) If the embedded key is valid, treat it as compromised: do not rely on it, and rotate any of your own keys if you ran these scripts with them present. (5) Prefer running in an isolated environment (container or VM), review network calls (especially to the configured OPENAI_API_BASE / dashscope endpoint), and review send-to-external integrations (Feishu/webhook code) before use. If you want to proceed safely: a) remove/neutralize the hard-coded key lines, b) ensure the code reads API credentials only from your explicit .env or process env, c) run tests offline or with a known test key, and d) consider auditing the code for any unexpected outbound network calls.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

👥 Clawdis
Binspython3.10
latestvk97cach5tnxppemcqzzf7tj5dd834mfs
172downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
Mr-ChenXY@namechenxinyu
latest
Download

CrewAI 团队协作技能

概述

本技能调用 CrewAI 多 Agent 团队,进行完整的产品需求分析,输出标准 PRD 文档。

团队成员

角色职责
📊 市场调研分析师竞品分析、用户研究
🎨 产品设计专家功能设计、UI 建议
🏗️ 技术总监架构设计、任务拆分
💻 全栈技术专家代码实现示例
✅ 质量专家测试计划、验收标准

使用方法

方式 1:直接运行脚本

cd ~/.openclaw/workspace/crewai_team
python3.10 run_team.py "产品创意描述"

方式 2:通过 OpenClaw 子代理

sessions_spawn(
    task="用 CrewAI 分析产品需求:[产品创意]",
    runtime="subagent",
    cwd="/Users/dayangyu/.openclaw/workspace/crewai_team"
)

方式 3:Python 代码调用

from crewai_team.team_config import create_product_team

crew = create_product_team("产品创意", verbose=True)
result = crew.kickoff()

输出

完整的 PRD 文档,包含:

  • 市场调研报告
  • 产品设计方案
  • 技术架构方案
  • 开发指南
  • 质量保障计划

前置条件

  1. 安装 CrewAI: python3.10 -m pip install crewai crewai-tools
  2. 配置 API Key: 复制 .env.example.env 并填入 DashScope API Key

注意事项

  • 首次运行需要 5-10 分钟(依赖下载 + 多轮分析)
  • 确保有足够的 API 额度
  • 输出结果建议人工审核

Comments

Loading comments...