ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Revenue Tracker

v1.0.0

Track and summarize daily income by logging transactions, generating reports, and analyzing revenue by source and skills.

0· 644·2 current·2 all-time
byZhangYang@arthasking123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (track and summarize income) matches the included scripts and files. Both a Bash (main.sh) and a Python (main.py) implementation are provided — that generally fits the stated purpose, but the two implementations write/read different log formats (main.sh writes pipe-separated lines, main.py writes JSON lines), which is disproportionate and can produce inconsistent reporting if both are used against the same log file.
Instruction Scope
SKILL.md instructs using main.sh for logging and reporting and references local files (logs/revenue.log, reports/daily_summary.md) only. The instructions do not request external files, environment variables, or network calls. Note: the repository also contains main.py (not referenced in SKILL.md usage examples) and mixing usage of main.sh and main.py will cause entries to be ignored by one or the other because of format mismatch.
Install Mechanism
No install spec and no downloads; this is instruction+scripts only. That is low risk and proportional for a small utility.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not access any environment variables or external secrets. Requested resources are limited to creating local directories and files (logs/, reports/).
Persistence & Privilege
Skill has no always:true flag and does not request elevated privileges or persist beyond its own files. It creates and writes to logs/ and reports/ within its directory only.
Assessment
This skill appears local-only and coherent with its stated purpose, but review a few points before installing: - It includes two implementations (main.sh and main.py) that use different log formats: main.sh uses pipe-separated lines, main.py writes JSON lines. Use one implementation consistently or convert logs to a single format to avoid missing transactions in reports. - No network or credential access is requested, so it won't exfiltrate data by itself; still run it in a directory where writing logs is safe and back up any important files first. - package.json exists but there is no install step; you can ignore it or run scripts via the provided shell script. If you need only one implementation, consider removing the other to avoid accidental mixing. - If you plan to integrate this into broader automation, inspect concurrent-write behavior and add locking if necessary. Overall: safe to run locally with normal caution (inspect files and run in an isolated project folder).

Like a lobster shell, security has layers — review code before you run it.

latestvk972ysnkj59ejtx6d453w6prsh81hs7j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments