Skill Earnings Tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly acts like a local earnings logger, but it makes privacy claims about encrypted/private storage that are contradicted by the included plaintext log-writing code.
Review this skill before installing if you plan to record real revenue or credit balances. The tracker appears local and non-destructive, but its files are plaintext despite the documentation saying they are encrypted, and any cron jobs must be added and later removed by you.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may enter earnings, credit values, or notes believing they are encrypted or stored in a private location when they are actually saved as readable local JSON lines.
The documentation promises encrypted/private storage, but the included code writes plaintext JSONL earnings records to ~/.openclaw/earnings. This mismatch could cause users to trust the storage protections more than the implementation supports.
SKILL.md: "Earnings data encrypted at rest" and "Credit balances stored in ~/.private/"; script: `EARNINGS_DIR = Path.home() / ".openclaw" / "earnings"` and `f.write(json.dumps(entry) + "\n")`
Treat the earnings files as plaintext. Do not put sensitive notes or account information in them unless the skill is updated to implement encryption or the documentation removes the unsupported privacy claims.
If a user copies the cron examples, the tracker may continue adding entries automatically until the cron job is removed.
The skill suggests persistent scheduled execution via cron. This is disclosed and user-directed, but it would keep collecting local tracking data on a recurring schedule if the user installs it.
Add to your crontab for automatic tracking: `0 0 * * * cd {baseDir} && python3 scripts/skill_earnings_tracker.py log ...`Only add the cron jobs if recurring tracking is desired, review the exact command first, and remove the cron entry when no longer needed.
Some commands may fail unless the ClawHub CLI is already installed, and users may not see that dependency from the registry requirements alone.
The SKILL.md frontmatter and stats workflow expect the ClawHub CLI, while the registry metadata reports no required binaries. The dependency is purpose-aligned, but the installation contract is inconsistent.
"requires": { "bins": ["clawhub"] }Install only a trusted ClawHub CLI version if using the stats or cron examples, and the skill publisher should align registry metadata with the documented dependency.