ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Worth It — Agent Profitability Tracker

v1.0.2

Finally know if your AI is paying off. Per-project ROI tracking for OpenClaw agents.

0· 73·0 current·0 all-time
by@storyscriptapp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (per-project ROI tracking) matches the instructions (log entries and calculate ROI). However the SKILL.md assumes a companion service (localhost:3002), optional Opik integration, and optional reading of memory/projects.json — none of which are declared as required config paths or credentials. That mismatch (implicit local service and file access) is a design assumption that should be explicit.
!
Instruction Scope
Runtime instructions tell the agent to recognize logging patterns anywhere in user messages and automatically POST structured entries to http://localhost:3002/api/value. This grants the agent broad discretion to transmit parsed conversation content to a local endpoint without an explicit confirmation step. The doc also references using an hourly_rate and project IDs (source unspecified), so it's unclear where those values come from before sending.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing will be written to disk by the skill itself. Low install risk, but functionality depends on an external/local service that the user must install separately (not provided here).
Credentials
No environment variables, credentials, or config paths are requested. Yet the documentation advertises Opik cloud integration and auto-detection from memory/projects.json in the full version — those integrations would require credentials and file access, but they are not declared here. The absence of declared credentials is not a security hole by itself, but it is an inconsistency to be aware of.
Persistence & Privilege
always:false and no install/install hooks. The skill does not request permanent platform presence nor modify other skills or system settings.
What to consider before installing
This instruction-only skill expects a companion service at http://localhost:3002 and will POST parsed user messages there whenever it detects $saved/$earned/$time/$cost patterns. Before installing or enabling it: 1) Confirm you or your org will run and control the localhost service (obtain and review its source code) — otherwise the agent's posts have nowhere trusted to go. 2) If you run the service, host it in an isolated environment and inspect what fields it stores/transmits (avoid storing full conversation text if not needed). 3) Because the skill will act whenever it sees the patterns, consider requiring an explicit confirmation step in the SKILL.md (or your system prompt) before sending data. 4) Treat the vendor information and paid 'full version' claims skeptically: source is unknown—only buy if you can verify the implementation and the seller. If you cannot or will not run a verified local service, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bs41qxmzzxwq66zyqty3hgd8383nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments