ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Northstar

Delivers a daily business briefing with Stripe and Shopify metrics, alerts, and goal tracking via your chosen channel at your scheduled time.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 122 · 1 current installs · 1 all-time installs
by@daveglaser0823
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's functionality (pull Stripe/Shopify metrics and deliver briefings) is coherent with the included code and docs. However the registry metadata claims 'no install spec' and 'no required env vars/credentials', while the SKILL.md, INSTALL.md and clawhub.json clearly describe installing a CLI, writing a config at ~/.clawd/skills/northstar/config/northstar.json, and storing API keys (Stripe/Shopify/Lemon Squeezy/Gumroad). That mismatch between declared metadata and actual requirements is an inconsistency the user should be aware of.
!
Instruction Scope
SKILL.md instructs writing API keys into a local config and running commands that may schedule cron jobs; it also repeatedly claims keys stay local and are 'never sent to any third party'. The changelog (included in the bundle) states license activation performs a call to an external endpoint (api.polar.sh) for key validation and mentions an embedded HMAC secret used for license tokens. The docs and changelog therefore contradict each other about whether any data is sent externally — you should verify exactly what the activation path transmits (if anything) before entering production credentials.
Install Mechanism
The bundle contains install scripts (scripts/install.sh and top-level install.sh) and clawhub.json lists an install script. The install flow described writes a binary to ~/.local/bin and config files to ~/.clawd/skills/northstar/. This is a typical local install model (no third-party binary download host shown), but the registry's earlier 'instruction-only / no install spec' claim is incorrect. Review the provided install scripts before running them.
!
Credentials
The skill needs service credentials (Stripe restricted keys, Shopify access tokens, optional Lemon Squeezy/Gumroad keys) per SKILL.md/INSTALL.md, but the registry metadata lists no required env vars or primary credential. Credentials are stored in a plaintext config file under the user's home directory by default. Additionally, the changelog references an HMAC secret embedded in code for license token signing — embedded secrets and local plaintext config storage increase risk if you don't audit the code that handles activation and any outbound network calls.
Persistence & Privilege
The skill does not request 'always: true' and follows standard local-skill behavior: it installs a CLI helper, writes files under the user's home, and suggests adding a cron entry for scheduled runs. These are normal for this functionality, but because the skill can be scheduled and invoked autonomously, confirm the license/activation steps do not cause unexpected network calls or send sensitive data.
What to consider before installing
What to check before installing or entering real credentials: - Metadata mismatch: the registry claims 'no install/spec' and 'no credentials' but the package contains install scripts and expects API keys in ~/.clawd/skills/northstar/config. Treat the metadata as incomplete and inspect the install flow. - Inspect the install scripts and main Python files (scripts/northstar.py and scripts/northstar_pro.py) for any outbound network calls before entering keys. Search the code for hostnames/URLs (e.g., api.polar.sh), 'requests.post/put', 'urllib', or any socket usage to see what is sent during activation or runtime. - Verify activation behavior: changelog mentions a license activation call and an HMAC secret in code. Run northstar in demo/test mode first (northstar demo / northstar test) without real credentials and review the activation code path (northstar activate) to confirm whether it transmits your Stripe/Shopify API keys or only validates a license key. - Prefer least privilege credentials: create and use Stripe Restricted Keys with the minimum read scopes recommended in INSTALL.md. For Shopify, use a custom app token with read-only scopes. Do not supply full admin/secret keys unless you understand the code path. - Payment & licensing: the project documents manual Venmo payments and an out-of-band license delivery process. That is an operational risk (manual money transfer + manual license issuance). Be cautious sending payment before verifying the activation flow and the maintainer identity. Prefer paying via platform-backed channels when possible. - Run in an isolated environment first: install and test on a throwaway account or VM, examine network traffic (e.g., with a proxy) during 'activate' and 'run' to confirm no unexpected exfiltration of keys occurs. - If you don't want plaintext credentials on disk: look through the code to see whether it supports environment variables or system keyring usage. If not supported, consider storing credentials in a keyring and modifying the code or requesting that feature from the author. - When in doubt: ask the maintainer for clarity (public repo/contact listed in README), request a clear statement of what 'activate' sends over the network, and ask for reproducible steps showing activation without transmitting API keys. If you are not comfortable with manual review, avoid using real production keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.12.0
Download zip
latestvk974cs7atcdhgrgxs0ayj4n2bx83ms08

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Northstar - Daily Business Briefing

Northstar delivers a clean daily business briefing to your preferred channel every morning. Connect your Stripe and/or Shopify accounts, configure your schedule, and wake up knowing.

No more tab-hopping. Your agent does the work while you sleep.

What It Does

Every morning at your configured time, Northstar:

  1. Pulls yesterday's revenue from Stripe (MRR, new subs, churn, payment failures)
  2. Pulls order data from Shopify (orders, refunds, top products)
  3. Calculates week-over-week and month-to-date metrics
  4. Flags anything that needs attention (unusual churn, payment retries, large refunds)
  5. Delivers a clean briefing via your preferred channel (iMessage, Slack, Telegram, or Email)

Example Output

📊 Northstar Daily Briefing - March 22
Revenue yesterday: $1,247 (+12% vs last week)
Active subscribers: 342 (+3 new, -1 churn)
Month-to-date: $18,430 (74% of $24,900 goal)

Shopify: 23 orders fulfilled | 8 open | 1 refund ($47)

⚠️ 2 payment retries pending - review in Stripe
Next: 6 days left in month, on track.

Quick Start

1. Install and try the demo

clawhub install northstar
northstar demo    # See a sample briefing immediately - no config needed

2. Set up (interactive wizard, ~4 minutes)

northstar setup

The setup wizard walks you through everything: tier selection, API keys, delivery channel, and schedule. No JSON editing required.

3. Test with your real data

northstar test

Dry-run briefing printed to terminal. No message sent until you're ready.

4. Go live

northstar run    # Send briefing now

Or schedule it (add to OpenClaw cron via openclaw cron edit):

# Northstar daily briefing at 6:00 AM
0 6 * * * northstar run

Manual configuration (optional)

If you prefer editing config directly instead of using the setup wizard:

cp ~/.clawd/skills/northstar/config/northstar.json.example ~/.clawd/skills/northstar/config/northstar.json

Edit northstar.json with your API keys. See Configuration section below.

Configuration

Config file: ~/.clawd/skills/northstar/config/northstar.json

{
  "delivery": {
    "channel": "imessage",
    "recipient": "+15551234567"
  },
  "schedule": {
    "hour": 6,
    "timezone": "America/New_York"
  },
  "stripe": {
    "enabled": true,
    "api_key": "sk_live_YOUR_KEY_HERE",
    "monthly_revenue_goal": 24900
  },
  "shopify": {
    "enabled": false,
    "shop_domain": "your-store.myshopify.com",
    "access_token": "shpat_YOUR_TOKEN_HERE"
  },
  "alerts": {
    "payment_failures": true,
    "churn_threshold": 3,
    "large_refund_threshold": 100
  }
}

Delivery Channels

ChannelConfig valueRecipient format
iMessage"imessage"Phone number: "+15551234567"
Slack"slack"Webhook URL
Telegram"telegram"Chat ID (numeric)
Email"email"SMTP config (Gmail App Password supported)
Terminal only"none"n/a (dry-run mode)

Stripe Setup

  1. Go to Stripe Dashboard
  2. Create a Restricted Key with read-only access to:
    • charges (read)
    • customers (read)
    • subscriptions (read)
    • invoices (read)
  3. Paste the key into stripe.api_key

Set monthly_revenue_goal to your MRR target in dollars (e.g., 24900 = $24,900/month goal).

Shopify Setup

  1. Go to your Shopify Admin > Apps > Develop apps
  2. Create a custom app with read access to:
    • read_orders
    • read_products
  3. Install the app and copy the Admin API access token
  4. Set shopify.enabled: true, add your shop domain and token

Commands

CommandDescription
northstar demoStart here. Sample briefing with demo data -- no config needed
northstar runRun briefing now, send to configured channel
northstar testDry-run - print briefing to terminal, no message sent
northstar statusShow config status and last run info
northstar stripeShow Stripe data only (debug)
northstar shopifyShow Shopify data only (debug)
northstar digest[Pro] Run weekly digest (7-day rollup, Sunday format)
northstar trend[Pro] Show 7-day revenue trend with sparkline

Metrics Calculated

Stripe Metrics

  • Yesterday's revenue - total charges, successful only
  • Active subscribers - current subscription count
  • New subscribers - started in last 24 hours
  • Churned subscribers - canceled in last 24 hours
  • Net new MRR - (new MRR) - (churned MRR)
  • Month-to-date revenue - vs. your goal
  • Payment failures - retries and failed charges

Shopify Metrics

  • Orders fulfilled - yesterday
  • Open orders - pending fulfillment
  • Refunds - count and total value yesterday
  • Top product - highest-selling SKU yesterday

Calculated

  • Week-over-week revenue change - yesterday vs. same day last week
  • Month-to-date pacing - % of monthly goal, days remaining, on-track status

Requirements

  • Python 3.9+
  • OpenClaw with cron support
  • stripe Python package (pip install stripe)
  • requests Python package (for Shopify, usually pre-installed)

The install script handles dependencies automatically.

Pricing

Available on ClawHub:

TierPriceFeatures
LiteFreeStripe only, terminal output, manual run
Standard$19/monthStripe + Shopify, all delivery channels, scheduled runs
Pro$49/monthMulti-channel delivery, custom metrics, weekly digest

To purchase Standard or Pro: open a GitHub issue or visit the landing page for the purchase link. After checkout, run northstar activate YOUR-LICENSE-KEY to activate.

Privacy

Northstar runs entirely on your machine. Your Stripe and Shopify API keys are stored locally in ~/.clawd/skills/northstar/config/northstar.json and are only used to call Stripe and Shopify directly from your local agent -- they are never sent to Northstar servers or third parties.

License activation: If you activate a Standard or Pro license key, the northstar activate command makes a single outbound call to api.polar.sh to validate the key. No other data is transmitted. If Polar is not configured, validation is offline (key format only).

Support

Files

36 total
Select a file
Select a file to preview.

Comments

Loading comments…