AI Profit Engine
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-profit-engine Version: 1.0.0 The skill bundle contains a hardcoded API key for Moltbook in `scripts/scan.sh` and references an external script (`scripts/polymarket_wallet_monitor.sh`) that is missing from the provided files, preventing a complete security review of its execution logic. While the visible code performs basic scraping of financial opportunity sites (e.g., clawtasks.com, airdrops.io) as described, the inclusion of hardcoded credentials and unverified script dependencies constitutes a security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may run under an unknown shared account or exposed token rather than the user's own credential, which can create account, rate-limit, or authorization problems.
The script sends requests with a hardcoded Moltbook bearer token even though the registry declares no primary credential or required environment variable, and SKILL.md describes MOLTBOOK_API_KEY as configurable.
-H "Authorization: Bearer moltbook_sk_..."
Remove the embedded token, require a user-provided MOLTBOOK_API_KEY, declare it in metadata, and document exactly what account access is used.
If a different or tampered file exists at that workspace path, running this skill could execute arbitrary local commands under the user's account.
After changing into the workspace, the script runs a relative helper script that is not included in the provided file manifest, creating an unreviewed code dependency and possible path-hijack behavior.
cd "$HOME/.openclaw/workspace" || exit 1 ... bash scripts/polymarket_wallet_monitor.sh >> "$LOG" 2>&1
Bundle and review the helper script, call it from the skill's own installation directory, verify its provenance, or remove the call until the dependency is provided.
If enabled in cron, the scanner will continue running on a schedule until the user disables it.
The skill recommends periodic background execution. This matches its monitoring purpose, but users should understand it will keep making network requests and writing logs if scheduled.
Run hourly via cron for continuous opportunity detection.
Only add the cron job if continuous monitoring is desired, and periodically review the log file and network/API usage.