Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Revenue Monitor — Gumroad, KDP & Etsy Sales Tracker
v1.0.0Track daily sales and revenue from Gumroad, KDP, and Etsy; send alerts on spikes, drops, and generate daily, weekly, and monthly revenue summaries.
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly describes tracking Gumroad, KDP, and Etsy and sending Telegram alerts — that capability matches the name/description. However, the registry metadata declares no required credentials or env vars while the instructions explicitly rely on Gumroad tokens, Etsy API keys, and (implicitly) Telegram credentials and AgentReach session data. That metadata/instruction mismatch is incoherent and should be resolved before trusting the skill.
Instruction Scope
Instructions tell the agent to read/write local files (skills/revenue-monitor/config.json and systems/feedback/revenue-data.json) and to inspect ~/.agentreach/kdp-sales-cache. Reading external tool caches and writing persistent JSON with API tokens is beyond a minimal scoped instruction and could expose secrets. Otherwise API calls are limited to Gumroad, Etsy, and AgentReach/CSV inputs as expected.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes risk from arbitrary downloads or installs.
Credentials
The number and type of credentials implied (GUMROAD token, ETSY_API_KEY, AgentReach/KDP session, and some form of Telegram credential) are proportionate to the feature set, but none are declared in the registry metadata. The SKILL.md suggests storing secrets in skills/revenue-monitor/config.json (plain JSON) which is insecure. The skill also references reading ~/.agentreach/kdp-sales-cache (access to another tool's data), which increases the surface area for sensitive data exposure.
Persistence & Privilege
The skill writes persistent configuration and a revenue log to local paths under skills/ and systems/feedback; it does not request always:true and does not modify other skills. Persisting API tokens and logs is expected for this use case but the guidance to store tokens in an unencrypted JSON file and the use of a shared systems/feedback path could expose data to other local processes or skills.
What to consider before installing
Before installing: 1) Confirm where and how you will store API credentials — do NOT store API tokens in plain text under skills/revenue-monitor/config.json unless you accept the risk; prefer the platform's secret store or an encrypted file. 2) Verify the metadata vs SKILL.md: the skill requires Gumroad/Etsy/KDP credentials and a Telegram send mechanism (bot token + chat ID), but the registry lists no required env vars; ask the publisher to declare them. 3) Ask how Telegram alerts are sent — SKILL.md asks for a chat ID but doesn't mention a bot token or how the bot is authorized. 4) Understand the AgentReach dependency: if you use AgentReach, the skill reads ~/.agentreach/kdp-sales-cache — confirm you are okay with that tool's cache being accessed. 5) Consider limiting file permissions for config and revenue-data.json and review who/what can access systems/feedback. 6) Verify the publisher (clawhub.json lists a homepage/repo) and inspect that external repo or ask for a source archive before granting credentials. If you cannot validate these points, avoid installing or provide only test/stub credentials.Like a lobster shell, security has layers — review code before you run it.
ecommercevk972sffsqkn65sr1vb09vt6e5d838ngfetsyvk972sffsqkn65sr1vb09vt6e5d838ngfgumroadvk972sffsqkn65sr1vb09vt6e5d838ngfkdpvk972sffsqkn65sr1vb09vt6e5d838ngflatestvk972sffsqkn65sr1vb09vt6e5d838ngfmonitoringvk972sffsqkn65sr1vb09vt6e5d838ngfrevenuevk972sffsqkn65sr1vb09vt6e5d838ngfsalesvk972sffsqkn65sr1vb09vt6e5d838ngf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.