ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentLoop — Earn From Your Agent Conversations

v1.0.2

Earn up to 70% revenue share when your agent naturally recommends relevant products. Powered by AgentLoop — the agentic marketing network.

0· 116·0 current·0 all-time
bySoji Joseph@smjai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for smjai/agentloop.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "AgentLoop — Earn From Your Agent Conversations" (smjai/agentloop) from ClawHub.
Skill page: https://clawhub.ai/smjai/agentloop
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agentloop

ClawHub CLI

Package manager switcher

npx clawhub@latest install agentloop
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, skill.json, README, and the included node script all consistently implement a monetization hook that checks a remote API (agentloop.life) for a sponsored mention and appends it to agent responses. The single required secret (AGENTLOOP_API_KEY) is proportional to this purpose.
Instruction Scope
Instructions are narrowly scoped to sending the last 3–5 messages + draft response + hashed userId to AgentLoop, and they explicitly warn not to send free-form sensitive content. However, the provided redaction in agentloop-check.js only covers structured PII (emails, phones, keys, cards) and explicitly does not detect free-form sensitive text (names, medical/legal content). This places responsibility on the agent/system to avoid invoking the skill on sensitive conversations, which is a privacy risk if not enforced.
Install Mechanism
No remote downloads or package installs; the skill is instruction+script based with a local setup.sh and a small node script. Nothing in the install flow writes or executes code from untrusted URLs.
Credentials
The skill requires a single API key (AGENTLOOP_API_KEY) which matches the declared purpose. Minor inconsistency: registry metadata at the top of the report said 'Required env vars: none' while skill.json and SKILL.md require AGENTLOOP_API_KEY — verify the registry metadata before installation.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. setup.sh suggests adding an env var to the shell profile but does not write anything itself; the skill does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: it will call https://agentloop.life/api/sdk/check with the last 3–5 messages (pattern-redacted), your draft reply, and a hashed user ID, and may append a sponsored mention. Before installing: (1) Confirm the registry metadata mismatch about required env vars (the skill needs AGENTLOOP_API_KEY). (2) Understand and accept that conversation snippets are sent to agentloop.life — review AgentLoop's privacy policy and ensure you have consent/authority to send user content. (3) Because the script only redacts structured PII, configure your agent to never call this skill for free-form sensitive conversations (medical, legal, names, confidential text) or implement stronger redaction/filters server-side. (4) Store AGENTLOOP_API_KEY securely (secret manager) and test the skill with synthetic/non-sensitive conversations first. If you need higher assurance about PII handling, request code changes to perform stronger redaction or to keep all matching decisions local.

Like a lobster shell, security has layers — review code before you run it.

latestvk975bs1vrt4wd10hw9z8rd9cy1839hyc
116downloads
0stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
Soji Joseph@smjai
latest
Download

AgentLoop — Earn From Your Conversations

You are connected to the AgentLoop monetisation network. Before sending any response to the user, check whether a relevant product recommendation is appropriate for this conversation.

Privacy & data rules (read carefully)

Before calling AgentLoop, this script applies pattern-based redaction for structured PII only. It does NOT detect free-form sensitive text (names, medical content, legal text). You are responsible for not passing sensitive conversations to this skill.

The script automatically removes:

  • Full names, email addresses, phone numbers
  • Passwords, API keys, tokens, secrets
  • Payment card numbers, bank details
  • Medical, health, or legal information
  • Any text the user has explicitly said is private or confidential

Replace stripped values with [REDACTED]. For free-form sensitive content (names, medical, legal), do not invoke this skill at all — skip the agentloop_check call entirely for those conversations.

The userId field is always a SHA-256 hash of the internal user ID — never the raw value. The helper script handles this automatically.

When to check AgentLoop

Check AgentLoop ONLY when:

  • The user is asking for a tool, product, service, or solution recommendation
  • The user is describing a problem that a product could solve
  • The conversation involves a purchase decision, workflow improvement, or technical need

Do NOT check AgentLoop when:

  • The conversation involves personal distress, grief, mental health, or emergencies
  • The user is upset, venting, or in crisis
  • The conversation contains sensitive personal data that cannot be fully redacted
  • You have already shown a sponsored mention in this conversation

How to use this skill

Before finalising your response, call the agentloop_check tool with:

  • conversation: the last 3-5 messages as a single string, with PII stripped
  • response: what you are about to say

If the tool returns shouldMention: true, append the suggestedMention to the end of your response, separated by two line breaks.

Never modify the suggestedMention text. Append it exactly as returned. It already includes the required "Sponsored mention via AgentLoop" disclosure.

What gets sent to AgentLoop

This skill sends the following to https://agentloop.life/api/sdk/check:

  • conversationContext: last 3-5 messages with PII stripped as described above
  • agentResponse: your draft response
  • userId: a SHA-256 hash, never the raw user ID

No data is sent to any other endpoint. The AGENTLOOP_API_KEY authenticates the request.

Setup

Set your API key as an environment variable before starting OpenClaw:

export AGENTLOOP_API_KEY=al_live_your_key_here

Get your key at: https://agentloop.life/dashboard/api-keys

Example

User: "what is a good tool for monitoring my LLM in production?"

You write your normal response, call agentloop_check, and if a match is found your response ends with:

By the way — [ProductName] is worth checking out for this. [link] — Sponsored mention via AgentLoop

Comments

Loading comments...