v1.0.0

Payout Possum

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:07 AM.

Analysis

This appears to be a legitimate money-recovery guide, but it asks for sensitive identity and financial details and can search Gmail if you explicitly approve it.

GuidanceThis skill is reasonable to use if you are comfortable sharing the personal details needed for a money-recovery sweep. Provide the minimum information needed, verify official sites before entering sensitive data, skip Gmail coverage unless you trust the Gmail integration, and only run the local installer if you intend to replace the local skill copy.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/install-local.sh

rm -rf "${target_dir}"
...
install_dir "${HOME}/.codex/skills"
install_dir "${HOME}/.openclaw/skills"

The optional local installer replaces any existing payout-possum directory in local agent skill folders. This is a normal install pattern, but it does modify the local agent environment if run.

User impactRunning the script could overwrite a prior local copy of this skill, including any local edits.

RecommendationRun the installer only intentionally, review it first, and back up any customized local skill copy before replacing it.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Capture:

- Full legal name and common variants
- Prior names
- Current state and prior states
- Current address and prior addresses
- Phone numbers and email addresses used historically
- Employers, unions, schools, military service, and retirement-plan providers
- Banks, brokerages, insurers, utilities, mortgage servicers, and loan servicers

The workflow asks for sensitive identity, address, employment, and financial-relationship details. This is expected for a money-recovery search, but it is high-sensitivity information.

User impactYou may disclose personal identity and financial-history details to the agent and use them while checking official recovery sources.

RecommendationShare only the details needed for the specific searches you approve, avoid providing full SSNs or passwords in chat, and verify official domains before entering sensitive information.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

Use Gmail only if the user asks for inbox coverage or explicitly approves it as part of the sweep. Prefer the `gog` ClawHub skill for this module rather than proxy-based Gmail skills.

Default to read-only behavior. Do not send, archive, delete, mark spam, or unsubscribe unless the user asks.

The skill can delegate Gmail searches to another ClawHub skill. The artifact limits this to explicit user approval and read-only behavior by default, but inbox access is still sensitive.

User impactIf you enable Gmail coverage, another installed skill may read and summarize relevant email content such as settlement notices, claimant IDs, links, and deadlines.

RecommendationUse the Gmail module only with a Gmail skill you trust, approve the specific search scope, and keep mail modifications disabled unless you explicitly request them.