Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CashMachine Bounty Hunter
v1.0.0Automates multi-repo GitHub bounty searches, estimates values, generates fixes via coding agent, automates PRs, and monitors payout progress.
⭐ 0· 15·0 current·0 all-time
bySergey Solovev@sergeysolovyev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims full GitHub bounty workflow (searching multiple repos, estimating bounties, cloning, generating fixes, forking/PRs, and monitoring payouts) but declares no required environment variables (e.g., GITHUB_TOKEN), no required binaries (e.g., git or gh), and no config paths. Legitimately performing those actions requires credentials and git tooling; their absence is inconsistent.
Instruction Scope
SKILL.md (as summarized) instructs the agent to call the GitHub search API, temporary-clone repositories, run a coding agent to create fixes, and automate forks/PRs and payout monitoring. Those instructions imply reading/writing local repositories, executing arbitrary code changes, and interacting with remote APIs — actions outside a narrowly scoped search/analysis skill and which are not constrained or justified in the documentation.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes disk-write/install risk; however, the runtime instructions still expect external tooling and network access which are not declared.
Credentials
The skill requests no credentials yet needs to perform authenticated GitHub operations (forks, PRs, monitoring payouts). This suggests it would rely on whatever tokens/SSH keys the agent/user already has available — a disproportionate and under-specified request for high-impact privileges.
Persistence & Privilege
The skill is not always-enabled and does not request persistent installation or modify other skills. Autonomous invocation is allowed by default but is not, by itself, a new risk here.
Scan Findings in Context
[no_regex_findings] expected: Scanner found no code or regex matches because this is an instruction-only skill. Absence of findings is expected but does not imply the instructions are safe or coherent.
What to consider before installing
Do not install or run this skill until the author clarifies how it will obtain authorization and what tooling it expects. Ask for the full SKILL.md and require the following before proceeding: (1) explicit declaration of required credentials (e.g., GITHUB_TOKEN) and why each is needed; (2) a list of required binaries (git, gh, or others) and whether network access is used; (3) an explicit confirmation step for any fork/PR/merge actions so the agent cannot act autonomously to modify repositories; (4) guarantees about sandboxing or a recommendation to run on an isolated account/VM with no sensitive tokens. If you must test it, do so in a disposable GitHub account and environment with no real funds or sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
automationvk973tkm9c143zq43fr2rth3dhd84ma7ybountyvk973tkm9c143zq43fr2rth3dhd84ma7ygithubvk973tkm9c143zq43fr2rth3dhd84ma7ylatestvk973tkm9c143zq43fr2rth3dhd84ma7yopportunisticvk973tkm9c143zq43fr2rth3dhd84ma7yrevenuevk973tkm9c143zq43fr2rth3dhd84ma7y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.