Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Revenue Analytics: Attribution, LTV, Cohorts, and Pricing Optimization for AI Agent Services
v1.0.0Agent Revenue Analytics: Attribution, LTV, Cohorts, and Pricing Optimization for AI Agent Services. Complete guide to revenue measurement for AI agent servic...
⭐ 0· 45·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the instructions: a revenue-analytics guide that calls a commerce gateway and implements attribution, LTV, cohorts, churn, pricing, and dashboards. Calling a payments/billing API and using Python 'requests' is coherent for this purpose.
Instruction Scope
SKILL.md explicitly instructs code examples to POST to GreenHelix's /v1/execute and to build webhook-driven dashboards using billing, payments, marketplace, and identity data. Those instructions imply collection, processing, and transmission of sensitive customer and billing data and possibly scraping/monitoring competitor marketplaces. The skill does not document what exact data fields are read or where webhooks send data, nor does it limit or justify broad data access.
Install Mechanism
This is an instruction-only skill with no install spec and no code files shipped, so nothing is written to disk by an installer. That lowers install-time risk. The regex scanner had no code to analyze.
Credentials
The guide says authentication is 'via Bearer token' for the GreenHelix gateway, but requires.env and primary credential are empty. There's a clear mismatch: the skill will need an API token (and possibly additional credentials or scoped access to billing/identity data) but does not declare them. Missing declarations make it unclear how credentials will be supplied and whether least-privilege scopes will be requested.
Persistence & Privilege
always is false, no install, and no indication the skill requests persistent system-level privileges or modifies other skills. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations here.
What to consider before installing
Before installing or running this skill, get answers from the publisher: (1) Which specific API credentials are required (name, env var, expected scope) and why? The tool claims to use a Bearer token but declares none — that mismatch is the main red flag. (2) Exactly which billing, identity, and marketplace data fields the code will read, store, or transmit, and where webhooks send data. (3) Whether the Bearer token can be scoped to least privilege (read-only billing vs. full account access) and whether tokens will be stored/encrypted. (4) Ask for the full SKILL.md and any code examples so you or a security reviewer can audit them for data exfiltration (e.g., posting PII to external endpoints). If you must proceed, run the guide in a restricted environment, use scoped/test credentials, and do not provide production billing/identity tokens until you verify the code's behavior. If the author cannot clearly declare required env vars and the exact data access pattern, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk97ff20pz4zn4527eay1e7pct184hyb0analyticsvk97ff20pz4zn4527eay1e7pct184hyb0attributionvk97ff20pz4zn4527eay1e7pct184hyb0churnvk97ff20pz4zn4527eay1e7pct184hyb0cohortsvk97ff20pz4zn4527eay1e7pct184hyb0greenhelixvk97ff20pz4zn4527eay1e7pct184hyb0guidevk97ff20pz4zn4527eay1e7pct184hyb0latestvk97ff20pz4zn4527eay1e7pct184hyb0ltvvk97ff20pz4zn4527eay1e7pct184hyb0openclawvk97ff20pz4zn4527eay1e7pct184hyb0pricingvk97ff20pz4zn4527eay1e7pct184hyb0revenuevk97ff20pz4zn4527eay1e7pct184hyb0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.