ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Income Agent

v1.0.0

Transform your OpenClaw agent into an autonomous income-generating system. Covers three compounding revenue streams: ClawHub skill sales, ClawJob bounties, a...

0· 281·2 current·2 all-time
byRoger Yelvington@rogeryelvington
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (autonomous income generation via ClawHub/ClawJob/affiliate content) match the instructions (searching ClawHub, publishing skills, monitoring bounty board, writing Beehiiv posts). One minor mismatch: the playbook shows CLI commands that in practice require authenticated accounts (clawhub publish, Beehiiv account) but the skill does not declare or request any credentials — this is reasonable for an instruction-only skill but worth noting.
Instruction Scope
SKILL.md only instructs network queries (curl to clawhub.ai/clawjob.ai), local ephemeral file usage (/tmp/clawjob.html), use of clawhub CLI and simple python JSON parsing. It does not instruct reading unrelated system files, harvesting environment variables, or exfiltrating user data. It does include promotional links and guidance to include affiliate links in published content — expected for a monetization guide.
Install Mechanism
No install spec or code files are present; this is an instruction-only skill (lowest install risk). It suggests adding $HOME/.npm-global/bin to PATH and using existing CLIs, but does not attempt to download or install binaries itself.
Credentials
The skill declares no required env vars or credentials, which aligns with being instruction-only. However, the recommended workflows (clawhub publish, Beehiiv account actions, bounty submissions) will require the user/agent to have account credentials or CLI auth configured in the environment. The skill does not attempt to access or ask for secrets itself — it relies on pre-existing auth.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. It does not modify other skills or system-wide config in its instructions. Autonomous invocation is allowed (platform default) but there is no evidence of elevated or persistent privileges being requested.
Assessment
This skill is a coherent, instruction-only monetization playbook: it tells your agent how to research, build, publish, and market ClawHub skills, monitor bounties, and publish affiliate content. It does not request secrets or install code itself, but you should be aware that: (1) actually publishing or submitting bounties will require authenticated accounts/CLIs (ClawHub, ClawJob, Beehiiv) that must already be configured on the host — the skill does not provide or request those credentials; (2) the playbook encourages publishing and using affiliate links and external payment services (there's a Stripe promo link) so verify external URLs and affiliate terms before posting content; (3) because the skill issues curl/publish commands that interact with external services, confirm you trust the services (clawhub.ai, clawjob.ai, beehiiv.com) and that no sensitive data or secret keys are placed into SKILL.md or sent to those endpoints. If you see any hidden install script, or if the skill later requests tokens/keys it didn't declare, treat that as suspicious and investigate before enabling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bpg70yyht5axnnapf2as3p98286p9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments