Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Revenue Coder
v1.0.0Autonomously generates, tests, and deploys profit-optimized code for affiliate funnels, bounty bots, and trend-based revenue scripts.
⭐ 0· 16·0 current·0 all-time
bySergey Solovev@sergeysolovyev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises autonomous generation, testing, and deployment to GitHub/workspace/live and integration with other services (coding-agent, github, exec, affiliate-master) and models (Claude Opus, Qwen). Yet the skill declares no required environment variables, no required config paths, and no install steps. Deploying to GitHub or invoking external model endpoints normally requires credentials and network config — their absence is incoherent with the stated purpose.
Instruction Scope
SKILL.md instructs spawning sub-agents, routing tasks to particular models, generating and deploying revenue scripts, and 'self-evolving' code. Those instructions are broad and open-ended, give the agent large discretion (deploy to 'live', measure profit, iterate), and do not constrain what data to read or where to publish. This grants the agent scope to create, execute, and publish potentially abusive or harmful code (scrapers, auto-posters, bounty solvers) without safeguards.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is written to disk during install. That minimizes install-time risk but also means the skill's behavior depends entirely on runtime agent actions (which are not described in a least-privilege way).
Credentials
The skill lists no required environment variables or credentials, yet claims to integrate with GitHub and external LLM providers and to run 'exec'. Deploying or executing code, pushing to GitHub, or routing to external models typically requires tokens/keys and network access. The lack of declared credentials is disproportionate and suggests either missing/hidden requirements or sloppy/misleading metadata.
Persistence & Privilege
The skill is not force-enabled (always: false) and allows normal autonomous invocation. Autonomous invocation combined with poorly scoped instructions (spawn sub-agents, deploy to live) increases risk, but autonomous invocation itself is the platform default and not sufficient alone to classify it as malicious.
What to consider before installing
This skill is suspicious because it tells the agent to do things (spawn sub-agents, route to specific models, test and push code to GitHub or 'live') but declares no credentials or install steps needed to do those things. Before installing or enabling it, ask the publisher for: 1) a clear list of required credentials and why each is needed (GitHub token, model API keys, any exec/shell access), 2) an explicit description of what 'deploy to live' means and what safeguards are in place, and 3) an audit of the generated code and a sandboxed test process. If you still consider using it: only grant minimal, scoped credentials (least privilege), require code review before any push to public repos, run it in an isolated environment, and restrict autonomous invocation or disallow deployment actions until you’ve validated behavior. If the skill’s source/owner cannot be verified, do not give it access to production GitHub tokens, payment/affiliate accounts, or any system where it can publish or run code publicly.Like a lobster shell, security has layers — review code before you run it.
affiliatevk97dp66fhk1fhjwskz97cmrdqs84nwr8bountyvk97dp66fhk1fhjwskz97cmrdqs84nwr8cashmachinevk97dp66fhk1fhjwskz97cmrdqs84nwr8codingvk97dp66fhk1fhjwskz97cmrdqs84nwr8latestvk97dp66fhk1fhjwskz97cmrdqs84nwr8profitvk97dp66fhk1fhjwskz97cmrdqs84nwr8revenuevk97dp66fhk1fhjwskz97cmrdqs84nwr8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.