Skillv1.0.1

ClawScan security

Passive Income Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 25, 2026, 6:48 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation describes a command-line tool and installation scripts but the published package contains no code or install spec — the claimed capabilities and integration points don't match the actual artifact.
Guidance: This package looks like documentation for a CLI monitor but contains no executable scripts or installation instructions in the bundle — that mismatch is the main red flag. Before installing or enabling this skill: (1) verify the source and obtain the actual tool code (install.sh and passive-income-monitor.sh) from a trusted repository; (2) inspect any scripts you install, especially any that accept wallets, keys, or write to your home config; never put private keys into the tool's config — use read-only addresses or API tokens with minimal scope; (3) be cautious with webhooks: only configure webhook URLs you control/trust to avoid leaking financial data; (4) if you want the agent to call the tool automatically, restrict that behavior until you confirm the tool's code and network destinations; and (5) prefer a skill that includes its code or an explicit, auditable install mechanism rather than an instruction-only entry that references missing files.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a shell tool (passive-income-monitor.sh), an install.sh, and OpenClaw integration; however the skill bundle contains no code files or install instructions. The registry entry claims install via 'clawhub install' and manual install.sh, yet no install spec or code is present — meaning the skill as published cannot actually provide the promised monitoring functionality. Required binaries and env vars are listed in prose (curl, jq, bash) but not enforced or declared in metadata.
Instruction Scope: noteInstructions are generally scoped to monitoring tasks (calling public APIs, local RPC, writing config in ~/.config/passive-income-monitor, exporting CSVs, posting webhooks). Those actions are consistent with the stated purpose. However the SKILL.md explicitly mentions the agent can call the tool proactively during heartbeats and that alerts may POST to arbitrary webhook URLs — this raises a potential data-exfil risk if the agent is given unchecked access or misconfigured webhooks. Also the instructions assume the presence of local scripts and access to RPC endpoints and wallet/validator identifiers stored in config, which could expose sensitive data if private keys or privileged endpoints are used.
Install Mechanism: concernThere is no install spec in the published skill (instruction-only), but the README instructs users to run 'clawhub install passive-income-monitor' or 'bash install.sh'. That is inconsistent: the package doesn't include install.sh or any script to install. This mismatch makes it unclear how an agent or user would obtain the binaries the instructions expect, and it is suspicious that the README prescribes installation steps that cannot be executed from the bundle.
Credentials: noteThe skill declares no required environment variables or primary credential, which is reasonable for a passive monitor. The SKILL.md does mention optional API keys (e.g., Storj) and webhook URLs, but these are not declared in requires.env. The absence of declared env vars combined with instructions to add API keys in config is an inconsistency to be aware of. The commands example use wallet addresses (public) and RPC endpoints, which are expected for this domain — but the documentation does not warn about never storing private keys in the config, which would be a security risk.
Persistence & Privilege: okThe skill does not request always-on presence (always:false) and does not declare system-wide privileges. It writes its own config under ~/.config/passive-income-monitor and alert logs there — this is normal for a CLI tool. The note that the OpenClaw agent can call the tool during heartbeats is a capability the user should consider enabling or disabling, but autonomous invocation by itself is the platform default and not an immediate red flag.