ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Card Optimizer

v1.0.1

Credit card rewards optimizer — helps maximize cashback, points, and miles by recommending the best card for every purchase category. Tracks annual caps, calculates annual fee ROI, manages rotating quarterly categories, and suggests new cards based on spending patterns.

0· 2k·0 current·0 all-time
by@scottfo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes recommending cards, tracking caps, ROI, and quarterly categories. All declared resources (local data/cards.json) are appropriate for that purpose and nothing extraneous (no cloud APIs, no unrelated credentials) is requested.
Instruction Scope
Instructions are self-contained and operate on a local data folder (data/card-optimizer/). The doc explicitly says it does NOT track individual purchases and only uses user-provided spending estimates. It does suggest optionally connecting bank accounts via third-party budgeting tools (outside scope) and recommends adding a cron job/heartbeat to automate quarterly reminders — these are implementation choices the user must authorize and review before enabling.
Install Mechanism
No install spec and no code files are provided (instruction-only). That minimizes disk/write/install risk; nothing is downloaded or executed by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The data files it uses are local JSON files described in SKILL.md, which is proportionate to its stated functionality.
Persistence & Privilege
Defaults allow the agent to invoke the skill autonomously (platform default). The SKILL.md recommends adding a periodic cron job or heartbeat to automate quarterly activation reminders — this is optional and would be a user action; users should review any automation scripts before adding them. The skill does not request 'always: true' or any elevated platform privileges.
Assessment
This skill is instruction-only and only reads/writes local JSON data under data/card-optimizer/ as described in the README. Before enabling or using it: 1) Inspect data/card-optimizer/cards.json to confirm no sensitive data is pre-populated; 2) If you plan to connect bank accounts or budgeting tools, use reputable third-party services and review their permissions — the skill itself does not perform that connection; 3) If you enable automation (cron job or heartbeat) review any scripts or scheduled tasks so they don't leak data or run unexpected commands; 4) Optionally review the GitHub homepage/source to confirm there is no hidden code if you plan to integrate code from that repo. Overall the skill appears coherent for its purpose, but treat any automation or external account linking as an explicit, separate permission you must approve.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ycvh39e406edxyzv8hkgy97zzvs8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis

Comments