ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Revenue Dashboard

v1.0.0

Track revenue across multiple Stripe accounts with automated daily reports, goal tracking, and anomaly alerts. Use when checking revenue, running nightly rev...

0· 48·0 current·0 all-time
by@son-of-poseidon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose is a Stripe revenue dashboard and the runtime instructions and Python scripts clearly require a Stripe secret key and a configuration file under ~/.config/revenue-dashboard. However, the registry metadata declares no required credentials or primaryEnv. That mismatch (code and SKILL.md need a Stripe key but metadata lists none) is an incoherence you should treat as suspicious.
Instruction Scope
SKILL.md stays on-topic: it tells you to store a Stripe secret at ~/.config/stripe/api_key, create ~/.config/revenue-dashboard/config.json, and run the included scripts or an example nightly cron. Instructions do not ask for unrelated files or secrets. Note: the cron example would enable scheduled/automated runs (if you install such a job or the agent acts on that payload).
Install Mechanism
There is no install spec (instruction-only + included scripts). No external downloads or installers are invoked by the skill itself. That reduces supply-chain risk.
!
Credentials
The skill requires access to a Stripe secret key (it expects it in ~/.config/stripe/api_key), which is proportionate to the stated function. But the published metadata does not declare this credential or primaryEnv, which is inconsistent and risky because automated systems may not surface the need for the secret. Also note the scripts pass the key to curl with -u, which can expose the key to other local users via process arguments on some systems.
Persistence & Privilege
The skill is not marked always:true and does not include an install step that forces permanent presence. However, SKILL.md includes an example nightly cron payload that, if used, will run the skill automatically. The skill being invocable by the agent (disable-model-invocation=false) is normal but combined with an undeclared secret is something to be cautious about.
What to consider before installing
This skill's code and README expect a Stripe secret saved at ~/.config/stripe/api_key and a config at ~/.config/revenue-dashboard/config.json, but the registry metadata didn't declare any required credential — that's a red flag. Before installing or running: (1) confirm the skill's source and trustworthiness; (2) store your Stripe key securely (file perms 600) and consider using a short-lived key or restricted scoped key if Stripe supports it; (3) be aware the scripts call curl with -u <key>: which can expose the key in process listings on some systems — consider modifying the code to use an Authorization header (Bearer token) or environment variables passed securely; (4) avoid blindly enabling the example nightly cron unless you want automated access to your Stripe account; (5) if you plan to use this skill in a multi-user environment, ensure other users cannot read the key file. Finally, ask the publisher to update registry metadata to explicitly declare the required Stripe credential (primaryEnv or requires.env) so automation and reviewers can see the requirement up-front.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a5a9np6xpyg1c2s4fw9kyf983vdgy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments