ClawHub

Gumroad Admin

v0.1.0

Gumroad Admin CLI. Check sales, products, and manage discounts.

1· 1.9k·0 current·0 all-time
by@abakermi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (manage Gumroad sales/products/discounts) justifies asking for GUMROAD_ACCESS_TOKEN. However, the SKILL.md shows example commands invoking a 'gumroad-admin' CLI binary that is neither provided by the skill nor declared as a required binary or installed by an install spec. That is an incoherence: the skill expects a tool that isn't supplied or documented.
Instruction Scope
The instructions are narrowly scoped to Gumroad operations and only ask the user to export the Gumroad token and run CLI commands. They do not request unrelated files, other credentials, or system paths. Note: storing the access token in environment variables is sensitive and should be done carefully (avoid shared shells, CI logs, etc.).
!
Install Mechanism
There is no install spec and no code files. That limits risk from arbitrary installs but creates a functional gap: the SKILL.md expects a CLI to exist. A benign explanation is that the author assumes the user already has a third-party 'gumroad-admin' binary; absent that, an agent might try to download/execute a binary at runtime — which would be risky. The skill should either provide an install path or declare the required binary.
Credentials
The only required environment variable is GUMROAD_ACCESS_TOKEN, which is proportional to the described Gumroad functionality. This credential is sensitive; the skill does not request unrelated secrets or multiple credentials.
Persistence & Privilege
The skill does not request always:true and has no install actions or config paths, so it does not demand persistent or escalated privileges. Model invocation is allowed (the platform default) but that alone is not concerning here.
What to consider before installing
This skill's behavior is inconsistent: it tells you to run a 'gumroad-admin' CLI but does not include or document that CLI or how to install it. Before installing or supplying your Gumroad token, ask the publisher for an official install instruction or source for the CLI (repository or release URL). If you must test it, do so with a throwaway Gumroad token with minimal scope in an isolated environment. Do not paste your primary access token into shared shells or public logs. If you cannot verify the CLI's origin, prefer an official Gumroad integration or request a self-contained implementation that clearly documents what it will install and why.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cy8zf185185ddw5skwaszx5809v51

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💸 Clawdis
EnvGUMROAD_ACCESS_TOKEN

Comments