ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Passive Income Monitor

v1.0.1

Monitors and summarizes earnings from bandwidth nodes, decentralized storage, DeFi yields, and staking with alerts for drops or offline status.

0· 426·3 current·3 all-time
by@mariusfit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a shell tool (passive-income-monitor.sh), an install.sh, and OpenClaw integration; however the skill bundle contains no code files or install instructions. The registry entry claims install via 'clawhub install' and manual install.sh, yet no install spec or code is present — meaning the skill as published cannot actually provide the promised monitoring functionality. Required binaries and env vars are listed in prose (curl, jq, bash) but not enforced or declared in metadata.
Instruction Scope
Instructions are generally scoped to monitoring tasks (calling public APIs, local RPC, writing config in ~/.config/passive-income-monitor, exporting CSVs, posting webhooks). Those actions are consistent with the stated purpose. However the SKILL.md explicitly mentions the agent can call the tool proactively during heartbeats and that alerts may POST to arbitrary webhook URLs — this raises a potential data-exfil risk if the agent is given unchecked access or misconfigured webhooks. Also the instructions assume the presence of local scripts and access to RPC endpoints and wallet/validator identifiers stored in config, which could expose sensitive data if private keys or privileged endpoints are used.
!
Install Mechanism
There is no install spec in the published skill (instruction-only), but the README instructs users to run 'clawhub install passive-income-monitor' or 'bash install.sh'. That is inconsistent: the package doesn't include install.sh or any script to install. This mismatch makes it unclear how an agent or user would obtain the binaries the instructions expect, and it is suspicious that the README prescribes installation steps that cannot be executed from the bundle.
Credentials
The skill declares no required environment variables or primary credential, which is reasonable for a passive monitor. The SKILL.md does mention optional API keys (e.g., Storj) and webhook URLs, but these are not declared in requires.env. The absence of declared env vars combined with instructions to add API keys in config is an inconsistency to be aware of. The commands example use wallet addresses (public) and RPC endpoints, which are expected for this domain — but the documentation does not warn about never storing private keys in the config, which would be a security risk.
Persistence & Privilege
The skill does not request always-on presence (always:false) and does not declare system-wide privileges. It writes its own config under ~/.config/passive-income-monitor and alert logs there — this is normal for a CLI tool. The note that the OpenClaw agent can call the tool during heartbeats is a capability the user should consider enabling or disabling, but autonomous invocation by itself is the platform default and not an immediate red flag.
What to consider before installing
This package looks like documentation for a CLI monitor but contains no executable scripts or installation instructions in the bundle — that mismatch is the main red flag. Before installing or enabling this skill: (1) verify the source and obtain the actual tool code (install.sh and passive-income-monitor.sh) from a trusted repository; (2) inspect any scripts you install, especially any that accept wallets, keys, or write to your home config; never put private keys into the tool's config — use read-only addresses or API tokens with minimal scope; (3) be cautious with webhooks: only configure webhook URLs you control/trust to avoid leaking financial data; (4) if you want the agent to call the tool automatically, restrict that behavior until you confirm the tool's code and network destinations; and (5) prefer a skill that includes its code or an explicit, auditable install mechanism rather than an instruction-only entry that references missing files.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qnftzhbpdmb0999qz5wjw581vkyf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

passive-income-monitor

Version: 1.0.0
Author: mariusfit
Category: finance, crypto, automation, passive-income
Tags: passive income, crypto, grass, storj, mysterium, defi, staking, yield, monitoring, alerts

What This Does

Monitors multiple passive income streams from a single command. Tracks bandwidth monetization nodes (Grass.io, Mysterium Network), decentralized storage earnings (Storj), DeFi yield positions, and crypto staking rewards. Provides unified dashboard, earnings summaries, and configurable alerts when earnings drop or nodes go offline.

Zero API keys required for basic mode. Optional API keys unlock richer data.

Use Cases

  • Track all passive income sources in one place
  • Get alerted when a node goes offline or earnings drop
  • Calculate daily/weekly/monthly earnings projections
  • Compare actual vs expected yields across DeFi protocols
  • Log earnings history for tax/accounting purposes

Commands

monitor check — Quick status of all configured streams

bash passive-income-monitor.sh check

Output: Status table (stream name, status, last earned, 24h total)

monitor earnings — Detailed earnings report

bash passive-income-monitor.sh earnings [--days 7] [--format json|table|csv]

monitor add <type> <name> <config> — Add income stream

bash passive-income-monitor.sh add grass "node1" --wallet 0xABC...
bash passive-income-monitor.sh add storj "storage1" --api-key KEY --node-id NODE_ID
bash passive-income-monitor.sh add mysterium "node1" --rpc http://localhost:4449
bash passive-income-monitor.sh add defi "aave-usdc" --protocol aave --address 0xABC... --chain ethereum
bash passive-income-monitor.sh add staking "eth-validator" --address 0xABC... --chain ethereum

monitor remove <name> — Remove income stream

bash passive-income-monitor.sh remove "node1"

monitor alert <threshold> — Set alert thresholds

bash passive-income-monitor.sh alert --min-daily 5.00 --notify-offline --email user@example.com

monitor export — Export earnings history

bash passive-income-monitor.sh export --format csv --output earnings-2026.csv

monitor dashboard — Live terminal dashboard (ncurses-style)

bash passive-income-monitor.sh dashboard

Supported Platforms

PlatformTypeAPINotes
Grass.ioBandwidthPublic APIWallet address required
Mysterium NetworkBandwidthLocal RPCNode must be running
StorjStorageAPI KeyDCS node API
Aave v3DeFi LendingPublic on-chainNo key needed
Compound v3DeFi LendingPublic on-chainNo key needed
LidoETH StakingPublic APIStaking address
Ethereum StakingValidatorBeaconcha.in APIValidator pubkey
HeliumIoT NetworkPublic APIWallet address

Configuration

Config stored in ~/.config/passive-income-monitor/config.json:

{
  "streams": [
    {
      "name": "grass-node1",
      "type": "grass",
      "wallet": "0xABC...",
      "enabled": true
    },
    {
      "name": "mysterium-node",
      "type": "mysterium",
      "rpc": "http://localhost:4449",
      "enabled": true
    }
  ],
  "alerts": {
    "min_daily_usd": 5.00,
    "notify_offline": true,
    "notify_method": "file"
  },
  "currency": "USD"
}

Alert Methods

  • file — Write alerts to ~/.config/passive-income-monitor/alerts.log
  • stdout — Print to terminal
  • webhook — POST to configured URL (Discord, Slack, custom)
  • OpenClaw integration: alerts appear as agent notifications

Output Examples

╔═══════════════════════════════════════════════════════════════╗
║          PASSIVE INCOME MONITOR — 2026-02-24                  ║
╠═══════════════════════════╦═══════════╦══════════╦═══════════╣
║ Stream                    ║ Status    ║ 24h      ║ 7d Total  ║
╠═══════════════════════════╬═══════════╬══════════╬═══════════╣
║ grass-node1               ║ ✅ Online  ║ $0.34    ║ $2.18     ║
║ mysterium-residential     ║ ✅ Online  ║ $0.12    ║ $0.84     ║
║ storj-node                ║ ⚠️ Offline ║ $0.00    ║ $1.92     ║
║ aave-usdc-pos             ║ ✅ Earning ║ $0.28    ║ $1.96     ║
║ lido-staking              ║ ✅ Active  ║ $0.45    ║ $3.15     ║
╠═══════════════════════════╬═══════════╬══════════╬═══════════╣
║ TOTAL                     ║           ║ $1.19    ║ $10.05    ║
╚═══════════════════════════╩═══════════╩══════════╩═══════════╝

⚠️  ALERT: storj-node has been offline >2h. Check node health.
📈 Projected monthly: $35.70 (based on 7d average)

Requirements

  • bash 4.0+
  • curl (for API calls)
  • jq (for JSON parsing)
  • bc (for math)
  • Optional: node.js (for on-chain data via ethers.js)

Installation

# Via OpenClaw
clawhub install passive-income-monitor

# Manual
bash install.sh

Notes

  • All data cached locally; no external tracking or telemetry
  • Earnings data stored in CSV for privacy and portability
  • OpenClaw agent can call this tool proactively during heartbeats
  • Works offline for cached data; requires internet for fresh API calls

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…