ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RevenueCat

v1.0.3

RevenueCat metrics, customer data, and documentation search. Use when querying subscription analytics, MRR, churn, customers, or RevenueCat docs.

3· 2.6k·6 current·6 all-time
by@jeiting
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (RevenueCat metrics, customers, docs) match the delivered files: a small bash wrapper that calls api.revenuecat.com and a large set of API reference documents. Required binary (curl) and the single env var (RC_API_KEY) are expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to use scripts/rc-api.sh to call RevenueCat API endpoints and to consult included reference files or the public docs. The script only checks RC_API_KEY and performs a GET to https://api.revenuecat.com/v2<endpoint>. There are no instructions to read unrelated local files, other env vars, or to send data to third‑party endpoints.
Install Mechanism
No install spec (instruction-only plus a tiny included script). Nothing is downloaded from external, untrusted URLs and no archive extraction or package installation is requested — low install risk.
Credentials
Only RC_API_KEY is required and is exactly the credential needed to call RevenueCat APIs. The skill does not request unrelated secrets or config paths.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges or modify other skills. It will only use RC_API_KEY when invoked.
Assessment
This skill appears to do exactly what it says: it issues GET requests to RevenueCat using the RC_API_KEY. Before installing, confirm the skill's origin (source/homepage are unknown) and only provide a least-privilege RevenueCat API key (a v2 secret scoped to the needed project). Treat RC_API_KEY as sensitive: rotate/revoke it if the skill is removed or if you suspect misuse. If you need stricter control, test the skill with a throwaway or read‑only API key and avoid exposing production keys until you’re comfortable with its behavior. Finally, be aware the skill can call the RevenueCat API whenever invoked (agent autonomous invocation is allowed by default).

Like a lobster shell, security has layers — review code before you run it.

latestvk97a7ahmfad2kcm6gnp16f9vtx81z866

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

😻 Clawdis
Binscurl
EnvRC_API_KEY
Primary envRC_API_KEY

Comments