Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lucky Gumroad Automation
v1.0.1Gumroad store automation — product creation, uploads, profile editing, data pulls. Use when any task involves Gumroad (creating products, managing listings,...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (Gumroad automation) legitimately requires authenticated sessions, and reusing a Chrome profile can achieve that. However, the skill manifest declares no required config paths or credentials while the SKILL.md mandates use of a specific local profile path (/home/openclaw/gumroad-profile). That contradiction (an undeclared but required sensitive resource) is incoherent and should have been declared explicitly.
Instruction Scope
The SKILL.md instructs the agent to: reuse a local Chrome user-data directory, never clear cookies, run headless Chrome with remote debugging, dump DOM to /tmp, pkill Chrome processes, and never log in manually. These are system-level operations and direct access to a local browser profile (cookies, localStorage, tokens). The instructions do not declare or justify this sensitive filesystem access, and include social-engineering-like guidance ('Never log in manually' / 'tell Ray'), which broadens the operational scope beyond a simple API integration.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes risk from arbitrary installation artifacts or remote downloads.
Credentials
No environment variables, credentials, or config paths are declared in the registry metadata, yet the runtime instructions require direct access to a Chrome profile directory that effectively contains credentials (session cookies, auth tokens). Requesting access to that profile is equivalent to requesting sensitive credentials and should be explicitly declared and justified. The presence of hard-coded account identifiers (seller name, user id, subdomain) ties the profile to a specific account and increases risk if the profile is misused or exfiltrated.
Persistence & Privilege
The skill is not marked 'always: true' and is user-invocable (normal). However, because the agent is allowed to invoke skills autonomously by default, the combination of autonomous invocation with undeclared access to a persistent browser profile increases the potential blast radius. The skill also instructs the agent to kill and relaunch Chrome processes, which affects system state.
What to consider before installing
This skill asks the agent to reuse a pre-authenticated Chrome profile stored at /home/openclaw/gumroad-profile but the manifest lists no required config path or credentials — that mismatch is the main red flag. Before installing or running: 1) Ask the skill author to explicitly declare and justify the required config path and any sensitive artifacts; prefer an API-based auth (Gumroad API token) rather than reusing a browser profile. 2) If you must run it, do so in an isolated VM/container with a dedicated Chrome profile created just for automation (do not reuse a personal system profile). 3) Inspect the profile directory to understand what it contains (cookies, localStorage, saved passwords) and limit its filesystem permissions. 4) Block/monitor network egress from the runtime environment and review logs for unexpected outbound connections. 5) Require the author remove or explain 'Never log in manually' and the instruction to always reuse the profile, and provide a fallback/auth-refresh mechanism that does not rely on opaque human instruction. If the author cannot justify the undeclared filesystem access, do not grant the skill access to your system profile.Like a lobster shell, security has layers — review code before you run it.
automationvk97by798z7mkgx1htctc0vwghs83n2c2digital-productsvk97by798z7mkgx1htctc0vwghs83n2c2ecommercevk97by798z7mkgx1htctc0vwghs83n2c2gumroadvk97by798z7mkgx1htctc0vwghs83n2c2latestvk97by798z7mkgx1htctc0vwghs83n2c2openclawvk97by798z7mkgx1htctc0vwghs83n2c2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.