Gumroad Admin
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gumroad-admin Version: 0.1.0 The skill bundle is benign. The `SKILL.md` clearly states its purpose to manage a Gumroad store and declares a necessary dependency on `GUMROAD_ACCESS_TOKEN` for its functionality. There is no evidence of data exfiltration, malicious execution, persistence, prompt injection against the agent, or obfuscation within the provided files. The instructions are straightforward and align with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any command with access to this token may be able to access or modify Gumroad account data depending on the token's permissions.
The skill requires a Gumroad access token, which is expected for administering a Gumroad store but is still a sensitive account credential.
requires:
env: ["GUMROAD_ACCESS_TOKEN"]Use a dedicated, revocable token if possible, keep it out of logs and shared shells, and revoke it if you no longer need the skill or suspect exposure.
Running the discount command with the wrong product, amount, or code could affect sales, pricing, or promotion behavior.
The skill documents a command that can create a Gumroad discount, which is purpose-aligned but changes the user's store configuration.
gumroad-admin discounts create --product <id> --code "TWITTER20" --amount 20 --type percent
Treat discount creation as a write action: verify the product ID, discount value, and intended promotion before running it.
The safety of actual command execution depends on the separate `gumroad-admin` binary available in the user's environment.
The reviewed package does not include or install the `gumroad-admin` CLI used by the instructions, so the executable's provenance is outside these artifacts.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Install or use `gumroad-admin` only from a trusted source and verify which executable will run before providing a Gumroad token.