ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentLoop — Earn From Your Agent Conversations

v1.0.2

Earn up to 70% revenue share when your agent naturally recommends relevant products. Powered by AgentLoop — the agentic marketing network.

0· 92·0 current·0 all-time
bySoji Joseph@smjai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, skill.json, README, and the included node script all consistently implement a monetization hook that checks a remote API (agentloop.life) for a sponsored mention and appends it to agent responses. The single required secret (AGENTLOOP_API_KEY) is proportional to this purpose.
Instruction Scope
Instructions are narrowly scoped to sending the last 3–5 messages + draft response + hashed userId to AgentLoop, and they explicitly warn not to send free-form sensitive content. However, the provided redaction in agentloop-check.js only covers structured PII (emails, phones, keys, cards) and explicitly does not detect free-form sensitive text (names, medical/legal content). This places responsibility on the agent/system to avoid invoking the skill on sensitive conversations, which is a privacy risk if not enforced.
Install Mechanism
No remote downloads or package installs; the skill is instruction+script based with a local setup.sh and a small node script. Nothing in the install flow writes or executes code from untrusted URLs.
Credentials
The skill requires a single API key (AGENTLOOP_API_KEY) which matches the declared purpose. Minor inconsistency: registry metadata at the top of the report said 'Required env vars: none' while skill.json and SKILL.md require AGENTLOOP_API_KEY — verify the registry metadata before installation.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. setup.sh suggests adding an env var to the shell profile but does not write anything itself; the skill does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: it will call https://agentloop.life/api/sdk/check with the last 3–5 messages (pattern-redacted), your draft reply, and a hashed user ID, and may append a sponsored mention. Before installing: (1) Confirm the registry metadata mismatch about required env vars (the skill needs AGENTLOOP_API_KEY). (2) Understand and accept that conversation snippets are sent to agentloop.life — review AgentLoop's privacy policy and ensure you have consent/authority to send user content. (3) Because the script only redacts structured PII, configure your agent to never call this skill for free-form sensitive conversations (medical, legal, names, confidential text) or implement stronger redaction/filters server-side. (4) Store AGENTLOOP_API_KEY securely (secret manager) and test the skill with synthetic/non-sensitive conversations first. If you need higher assurance about PII handling, request code changes to perform stronger redaction or to keep all matching decisions local.

Like a lobster shell, security has layers — review code before you run it.

advertisingvk97e80g8vts2hggxhw9v4qqb318399m6latestvk975bs1vrt4wd10hw9z8rd9cy1839hycmonetizationvk97e80g8vts2hggxhw9v4qqb318399m6recommendationsvk97e80g8vts2hggxhw9v4qqb318399m6revenuevk97e80g8vts2hggxhw9v4qqb318399m6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments