Subscription Revenue Tracker
v1.1.0SaaS and subscription business revenue intelligence. Track MRR/ARR, calculate churn rate, net revenue retention (NRR), customer lifetime value (LTV), cohort...
⭐ 0· 113·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (MRR/ARR, churn, cohorts, QBO journaling) matches the runtime instructions: Stripe/Chargebee API calls, CSV handling, and Python/CLI examples. Optional binaries and APIs listed in metadata (stripe, python3, jq, curl; Stripe/Chargebee/QBO) are appropriate for the stated purpose.
Instruction Scope
Instructions stay within the domain of revenue/KPI computation and GL posting. However, examples show direct use of secret keys (e.g. sk_live_YOUR_KEY) embedded in curl and Python snippets; there is no guidance in the SKILL.md about minimizing exposure (use restricted/read-only keys, environment variables, or token-scoped credentials) or avoiding commit/logging of secrets.
Install Mechanism
No install spec and no code files — instruction-only skill. This is lower-risk because nothing is downloaded or written to disk by the skill itself.
Credentials
The skill does not declare required environment variables or a primary credential, but the runtime examples clearly expect Stripe/Chargebee API keys. This is proportionate to the purpose, but the lack of declared credential handling and the use of inline live-key examples increases the chance a user will accidentally expose sensitive credentials.
Persistence & Privilege
always is false and the skill has no install or persistent components. Autonomous invocation is allowed (platform default) but there is no extra persistence or system-wide configuration requested.
Assessment
This skill appears to do what it claims (compute MRR/ARR, churn, cohorts, and prepare GL entries), but it uses examples that inline secret keys. Before installing or using: (1) Never paste live secret keys into commands or source files — use environment variables or a secrets store and prefer restricted/read-only API keys with minimal scope. (2) Test with test/sandbox credentials (Stripe test keys) rather than sk_live keys. (3) Be careful when running CLI commands that may be saved in shell history or logs; consider using --api-key-from-env patterns. (4) Review any generated QBO journal entries before posting to your production accounting system. (5) Because the skill can be invoked autonomously by default, only grant it access to financial credentials if you trust it and monitor usage; if you need more assurance, ask the publisher for provenance or a repository link before providing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971ey8fvbynzw2b1hxaemcm218377f9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.