AffiliateMaster
Security checks across malware telemetry and agentic risk
Overview
AffiliateMaster is coherent with its affiliate-marketing purpose, but it handles affiliate credentials, persists local analytics, and can automatically modify draft content with monetized links.
This skill appears purpose-aligned and not malicious from the provided artifacts. Before installing, verify you trust the publisher, protect any affiliate API keys placed in config.json, and review all enhanced content before publishing so affiliate links and disclosures match your intent and legal obligations.
VirusTotal
62/62 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Draft content may be changed to include affiliate links and disclosures, which can affect trust, monetization, and compliance obligations.
The skill can automatically alter supplied content by inserting affiliate links. This matches the stated purpose, but it affects public-facing monetized content if the result is later published.
const { autoInsert = true, disclosurePlacement = 'top', maxLinks = 3 } = options; ... enhancedContent = enhancedContent.replace(... `[${product.name}](${link.affiliateUrl})`);Review enhanced content before publication, set maxLinks deliberately, and disable automatic insertion when affiliate links are not explicitly desired.
Anyone or any agent with access to the skill directory may be able to read or use configured affiliate credentials.
The configuration file is designed to hold affiliate network credentials and identifiers. This is expected for the service, but it gives the skill access to affiliate-account authority.
"accessKey": "", "secretKey": "", "associateId": "" ... "apiKey": ""
Use least-privilege affiliate API keys, keep the config file private, avoid adding unrelated credentials, and rotate keys if the skill directory is exposed.
Local analytics may reveal business performance or monetization strategy to anyone with access to the skill files.
The skill persists analytics data locally, including clicks, conversions, revenue, and per-link/product statistics.
const analyticsPath = path.join(__dirname, 'analytics.json'); ... fs.writeFileSync(analyticsPath, JSON.stringify(analytics, null, 2));
Treat analytics.json as sensitive business data, delete it when no longer needed, and avoid storing customer-identifying information in product or tracking fields.
Users have less external context for verifying who maintains the skill or comparing the registry artifact to an upstream source.
The registry information does not provide an external source or homepage for provenance review. No malicious install behavior is evidenced, but publisher verification is limited.
Source: unknown; Homepage: none
Install only if you trust the ClawHub publisher, and prefer reviewed or source-linked releases for production workflows.