v1.0.1

Revenue Tracker

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:24 AM.

Analysis

The tracker is coherent as a revenue tool, but it asks the agent to automatically sync sensitive revenue data to Google Sheets, Notion, and Telegram, so it should be reviewed before install.

GuidanceInstall only if you want the agent to maintain local revenue files and potentially sync financial data to Google Sheets, Notion, and Telegram. Before use, configure exact destinations, require confirmation for external updates, and avoid recording unnecessary client-identifying details.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

After every `record` command, the script: ... Outputs structured instructions → agent executes: Priority 1 → Google Sheets ... Priority 2 → Notion

Each revenue record can trigger agent-executed writes to external tools. The artifacts do not clearly require user confirmation, verify the exact destination account/database, or describe reversal controls.

User impactIncorrect or sensitive revenue records could be written automatically into third-party workspaces.

RecommendationRequire explicit opt-in or confirmation before external sync, pin exact Sheets/Notion destinations, and provide a dry-run or local-only mode.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

uses_agent_telegram: true ... optional_skills: - wesley-web-operator - virtual-desktop

The skill relies on the agent's existing Telegram, Google/web-operator, and virtual-desktop authority. That is purpose-aligned, but users should understand which account identity will perform the actions.

User impactUpdates and alerts may be performed under the user's or agent's connected third-party accounts.

RecommendationUse least-privilege connected accounts and confirm the agent cannot write outside the intended revenue tracker destinations.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

After every revenue event, outputs structured instructions for the agent to update Google Sheets (via gog), Notion (via virtual-desktop) ... The agent sends Telegram alerts

Sensitive financial events are handed from the script to the agent and then to other skills/providers, but the artifacts do not define identity, permissions, redaction, or data-boundary checks for those handoffs.

User impactRevenue, client, trading, and milestone information may be exposed through Google, Notion, or Telegram integrations.

RecommendationVerify the connected accounts, limit which event fields are shared, redact client-identifying details by default, and make external alerts configurable.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

revenue_tracker.py

AUDIT_LOG = Path("/workspace/AUDIT.md") ... LEARNINGS_LOG = Path("/workspace/.learnings/LEARNINGS.md")

The skill persistently records audit and learning information that may be reused by future agent workflows. This is expected for the tracker, but the data can contain sensitive or incorrect business context.

User impactFinancial learnings or audit entries may persist across tasks and influence later agent decisions.

RecommendationPeriodically review and prune the audit and learning files, and avoid storing unnecessary client-identifying information.