ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ConvoYield

v1.0.0

Conversational Yield Optimization Engine — treats every bot conversation as a yield-bearing financial instrument. Five zero-cost engines detect sentiment arb...

0· 340·0 current·0 all-time
byJohn DeVere Cooley@jcools1977
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md promises 'Zero external dependencies', 'Zero API calls', and purely local analysis, but the repository contains a FastAPI cloud server, Stripe billing integration, PostgreSQL/Postgres client code (psycopg2), a telemetry phone‑home module, and other subsystems (web dashboard, webhooks, ConvoCoin/token code). Those components are not necessary for a simple local conversation analyzer and contradict the advertised 'zero infrastructure' claim.
!
Instruction Scope
The runtime instructions (SKILL.md) instruct local use, but the codebase includes a telemetry sender that can POST aggregated analytics to a server, a CLI that can register API keys with a server, and a cloud server that stores telemetry and manages keys and billing. SKILL.md does not disclose these network/db/billing behaviors or when/if telemetry is enabled, creating scope creep and potential data exfiltration risk if the telemetry is used.
Install Mechanism
There is no install spec (instruction-only from the registry), which reduces installer risk. However, the repository contains many Python modules that import optional third‑party packages (fastapi, stripe, psycopg2, uvicorn). Running server/CLI features will require installing those packages and may write files to disk (e.g., ~/.convoyield/analytics.db). No external download URLs or archive extraction were found in the install metadata.
!
Credentials
The skill declares no required env vars, but code references multiple environment variables (DATABASE_URL, CONVOYIELD_DB, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_*, BASE_URL, etc.). Those env vars permit database connections and billing/payment configuration; requesting or using them is disproportionate to the SKILL.md claim of a self-contained local analyzer and is not documented in the SKILL.md metadata.
Persistence & Privilege
The skill does not set always:true and is user-invocable (normal). Still, runtime components can create persistent state (SQLite at ~/.convoyield/analytics.db by default), run an HTTP server exposing endpoints, and manage API keys/billing. Running the CLI/server will open network ports and create local persistent data which increases blast radius if misconfigured; this is not documented in SKILL.md.
What to consider before installing
This package is inconsistent with its README/skill metadata: it advertises 'zero dependencies' and 'local-only', yet contains a cloud server, telemetry that can POST analytics, Stripe/billing hooks, and code that will create a local DB. Before installing or running: 1) Inspect convoyield/__init__.py and orchestrator to see whether telemetry is instantiated automatically; search the repo for uses of the Telemetry class and for outbound network calls (urllib.request.urlopen / Request). 2) Do not run 'server' on a public host without auditing env vars (STRIPE_*, DATABASE_URL) and confirming you want a locally hosted API and dashboard. 3) Run in an isolated environment (fresh venv or container) and avoid supplying secrets (Stripe keys, DB credentials) until you understand billing behavior. 4) If you only want the local analyzer, search for and disable telemetry (look for Telemetry(...) calls or an ENABLE_TELEMETRY toggle) or modify code to prevent any network calls. 5) If possible, ask the author or check the repo README for explicit notes about telemetry defaults and the intended offline mode. These steps will reduce the risk of accidental data transmission or unwanted persistent resources.

Like a lobster shell, security has layers — review code before you run it.

latestvk9747k4v23sx6ahetpqje2w5ah823g4a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
OSmacOS · Linux · Windows
Binspython

Comments