Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Skill Passive Income Tracker
v1.0.0Track earnings, payouts, and uptime from multiple passive crypto income apps with daily summaries and export options in USD/EUR.
⭐ 0· 465·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the intended function (aggregating passive-crypto earnings), and the listed credentials (service tokens, node keys) are plausible for that task. However, the skill advertises a CLI with many commands and claims 'encrypted at rest' storage but provides no code or install mechanism in the bundle (instruction-only). That mismatch (declared commands + implementation absent) is unexpected and reduces trust.
Instruction Scope
SKILL.md instructs obtaining sensitive data: copying a Grass.io session token from browser storage, supplying Storj API keys and wallet addresses, and reading a Mysterium keystore file (~/.mysterium/keystore/node.key). Those actions are coherent with the stated purpose but involve high-sensitivity secrets and local file access. The doc also promises automatic WhatsApp/Telegram messaging but gives no details on how messaging is authenticated or configured — a gap that could hide additional credential prompts or third-party services.
Install Mechanism
No install specification and no code files are bundled (instruction-only). The SKILL.md references executing a 'passive-income-tracker' CLI and claims encrypted local storage, yet the registry package contains no installer or binaries. This forces users to fetch and run external code (GitHub repo link is provided), which is a legitimate path but increases risk because the skill package itself doesn't supply or verify the implementation.
Credentials
The skill does not request environment variables via the registry metadata (none declared), which is consistent. It does, however, instruct users to supply many sensitive credentials (session tokens, API keys, email+password for Honeygain, node keystore). Those credentials are proportionate to the stated integrations but are sensitive; the documentation claims encrypted storage and 'no telemetry' without providing the code to verify how secrets are protected. Passing credentials on the command line (examples use CLI flags) risks exposure in shell history.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent platform privileges. It names standard OpenClaw tools (exec, message, web_fetch) in its metadata, which is normal. There is no evidence it modifies other skills or global agent configuration.
What to consider before installing
This skill conceptually fits its purpose (aggregating earnings) but the package is instruction-only and does not include the CLI or code that it references. Before installing or running anything you should: 1) Inspect the referenced GitHub repository code yourself (or ask for it) to verify how tokens are stored/encrypted and how alerts (WhatsApp/Telegram) are delivered. 2) Avoid pasting long-lived secrets or passwords on the command line; prefer short-lived API keys or read-only tokens and use a secure secret entry method. 3) Verify the repository's authenticity (owner, commits, issues) and prefer running the code on an isolated machine or VM. 4) If you proceed, confirm exactly where credentials are saved and how encryption is implemented; do not rely solely on the SKILL.md claim of 'encrypted at rest'. 5) Consider whether automatic messaging requires additional credentials and where those will be stored.Like a lobster shell, security has layers — review code before you run it.
latestvk977xpk2svdtt10vkzpearrte581vrks
License
MIT-0
Free to use, modify, and redistribute. No attribution required.