AI Income Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
No hidden code was found, but the skill encourages autonomous public publishing and income-related account activity without clear approval limits.
Only use this skill if you want monetization planning assistance. Do not allow it to publish skills, accept or submit bounties, post affiliate content, or make purchases without explicit review and approval. Verify income claims independently, review all public content for quality and legal/affiliate disclosure requirements, and set clear limits for any recurring monitoring.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to run tools, it could publish or update public marketplace content under the user's identity before the user has reviewed it.
The default workflow includes publishing and updating marketplace artifacts, but the visible instructions do not require user review, approval, scope limits, or rollback steps before public/account-affecting actions.
"Provides the full operational playbook — research, build, publish, monitor, and optimize" ... `clawhub publish ~/path/to/skill`
Require explicit human approval before publishing or updating skills, accepting/submitting bounties, or posting affiliate content; define allowed accounts, scopes, and rollback steps.
Actions may appear under the user's account and affect reputation, listings, or marketplace compliance.
Publishing to ClawHub is expected for the stated purpose, but it likely uses the user's marketplace identity or logged-in CLI context. The artifacts do not show credential theft or logging.
`clawhub publish ~/path/to/skill --slug your-skill-name --name "Your Skill Name" --version 1.0.0`
Use a dedicated account or restricted permissions where possible, and require confirmation before any account-level publishing or submission.
Users may over-trust the agent's money-making advice, buy promoted offerings, or allow autonomous public actions based on optimistic financial claims.
The skill makes strong income and autonomy claims and includes a paid upsell link; the provided artifacts do not substantiate the earnings projections or 'proven' claim.
"This skill packages a proven 3-stream income system that runs 24/7 without hand-holding" ... "Combined at maturity: ~$538/mo" ... "AI Stack Builder (premium): https://buy.stripe.com/..."
Treat the earnings claims as marketing, independently verify business assumptions, and keep financial decisions and paid purchases under human control.
If separately scheduled or granted ongoing tool access, the agent could continue monitoring and optimizing beyond a single user request.
The skill encourages ongoing autonomous operation, but the artifacts do not include code that installs persistence or a background process.
"runs 24/7 without hand-holding" and "Check download counts daily"
Set clear stop conditions, check-in frequency, notification requirements, and approval gates for any recurring monitoring or optimization.