Passive Income Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a benign passive-income monitoring guide, but users should verify any referenced scripts before running them and be careful with API keys, local financial records, and webhook alerts.
Before installing or using this skill, confirm that any referenced scripts come from a trusted source, use least-privilege API keys, never provide wallet seed phrases or private keys, secure the local config and earnings files, and send webhook alerts only to private destinations you control.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The documented commands may not work as packaged, and fetching similarly named scripts from elsewhere could expose the user to unreviewed code.
The documentation references runnable shell scripts, while the supplied manifest contains only SKILL.md and no install spec; this is a provenance and completeness note, not evidence of hidden execution.
bash passive-income-monitor.sh check ... # Manual bash install.sh
Install only from a trusted package that includes the expected scripts, and review any shell script before running it.
If credentials or local node access are mishandled, earnings or node information could be exposed.
The skill may use service API keys and local node RPC endpoints, which are expected for monitoring but still represent account or node access.
bash passive-income-monitor.sh add storj "storage1" --api-key KEY --node-id NODE_ID ... bash passive-income-monitor.sh add mysterium "node1" --rpc http://localhost:4449
Use read-only or least-privilege API keys where available, avoid entering private keys or seed phrases, and limit local RPC access to trusted environments.
Anyone with access to the local configuration or CSV files may learn wallet addresses, earnings history, alert settings, or API-related details.
The skill stores configuration and earnings history locally, which is purpose-aligned but creates persistent financial and possibly credential-related records.
Config stored in `~/.config/passive-income-monitor/config.json` ... Earnings data stored in CSV for privacy and portability
Store the config directory securely, avoid placing sensitive files in shared folders, and remove old exports or logs when no longer needed.
Misconfigured webhooks could reveal earnings, wallet/node names, or offline status to the wrong channel or service.
Webhook alerts are disclosed and purpose-aligned, but they can send income or node-status information to external services.
`webhook` — POST to configured URL (Discord, Slack, custom)
Use private webhook destinations, verify URLs before saving them, and avoid including sensitive labels in stream names.
The agent may perform status checks and generate alerts during routine heartbeats if configured.
The skill discloses proactive invocation for monitoring, which is aligned with alerts but means it may run outside a direct manual command.
OpenClaw agent can call this tool proactively during heartbeats
Enable proactive monitoring only if desired, and configure alert thresholds and destinations carefully.