Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ProfitCore
v1.0.0Transforms an agent into an autonomous ROI-driven system that identifies, evaluates, and executes only high-value, low-cost opportunities with continuous lea...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (autonomous ROI engine) match the SKILL.md: the document defines discovery, ROI analysis, decision, execution plan, and learning. The skill requests no unrelated binaries, env vars, or installs — nothing appears extraneous for the stated purpose.
Instruction Scope
The SKILL.md confines behavior to a clear six-step loop and strict output format, which is coherent. However, several instructions are intentionally broad/vague (e.g., 'execute', 'track actions and outcomes', 'learn and improve continuously') and grant the agent wide discretion about what actions to take and what data to collect or transmit. The document does not constrain or document what 'execute' means (local commands, web requests, third-party APIs, purchases, etc.).
Install Mechanism
Instruction-only skill with no install spec or code files; this is low-risk from an install standpoint because nothing is written to disk or downloaded by an installer.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional to an instruction-only policy document. Note: because the instructions envision performing actions and using tools/APIs, a deployed agent might later request credentials or access; the SKILL.md does not declare or constrain that.
Persistence & Privilege
The skill requires tracking actions/outcomes and continuous improvement over cycles, implying persistent state. Yet it provides no mechanism or constraints for storing that state (no declared config paths, memory store, or external endpoint). That gap is ambiguous: an agent could reasonably use in-agent memory, local files, or third-party storage — this increases the chance of unexpected data storage or external communication. always=false and no self-modifying install behavior reduce some risk, but the persistence requirement remains underspecified.
What to consider before installing
This SKILL.md is coherent for an ROI-focused advisor, but it intentionally leaves implementation details (what 'execute' means, where to store 'tracking' data, and what external services to call) open. Before installing or enabling it for autonomous use: (1) Restrict the agent's ability to perform high-impact actions (purchases, external API calls, shell execution) unless you explicitly approve each action. (2) Decide and control where learning/track data is stored (agent memory only vs. a specific, auditable datastore) and avoid giving open credentials. (3) Require explicit user confirmation for any action that affects accounts, billing, or external systems. (4) Test the skill in a sandboxed environment first. If you need stronger assurance, ask the publisher to specify storage, execution boundaries, and which external services (if any) the skill will use.Like a lobster shell, security has layers — review code before you run it.
latestvk97e6hx873gwmc7jykmxv5ge0h84fe25
License
MIT-0
Free to use, modify, and redistribute. No attribution required.