ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Payout Possum

v1.0.0

Comprehensive money-recovery specialist for finding money, benefits, refunds, settlements, unclaimed property, pensions, bankruptcy funds, escrow balances, a...

0· 74·0 current·0 all-time
byChad Newbry@chadnewbry
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, and reference files all focus on locating unclaimed money, official sources, and optional Gmail evidence. There are no unrelated required binaries, env vars, or external endpoints in the materials supplied.
Instruction Scope
Instructions ask the agent to collect personal identity and account history (names, prior addresses, employers, banks, possible SSN last4) and optionally to search Gmail for evidence. This is expected for the task, but it involves sensitive PII; the skill documents read-only Gmail behavior and explicitly requires user approval before inbox access, and it warns about red flags and upfront-fee scams.
Install Mechanism
No network install spec; the only code file is a local install script that copies the skill files into ~/.codex/skills and ~/.openclaw/skills. The script uses rm -rf on the skill target folder (normal for overwrite) but does not download or execute remote code.
Credentials
The skill declares no required environment variables or credentials. It recommends using an existing Gmail/Google skill (steipete/gog) for inbox access rather than asking for Google credentials directly. That said, the workflow legitimately asks for highly sensitive user data (name variants, addresses, account identifiers, possibly SSN last 4), so users should be cautious about sharing full SSNs, passwords, or account credentials.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. The install script writes only to user-skill directories in the home folder and does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: a structured checklist to find unclaimed money. Before installing or using it: (1) review the install script (it only copies files into your home skill folders). (2) Never hand over full SSNs, bank passwords, or email passwords—provide minimal data (e.g., name variants, date ranges) and prefer last4 if a service requires it. (3) For Gmail evidence, prefer installing and authorizing a vetted Google/OAuth-backed skill (the skill recommends steipete/gog) rather than giving raw credentials. (4) Confirm any request for identity documents or upfront fees is necessary; the skill itself flags those as red flags. (5) Only install skills from sources you trust; this package's source/homepage are unknown, so if you plan to use it in production, consider auditing or hosting the files from a repository you control.

Like a lobster shell, security has layers — review code before you run it.

claimsvk974dt3sj3e2fsc6jk81kvakqn83f3kefinancevk974dt3sj3e2fsc6jk81kvakqn83f3kelatestvk974dt3sj3e2fsc6jk81kvakqn83f3ke

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments