ClawHub

Gumroad Analytics

v1.0.1

Pull daily Gumroad product/sales analytics safely (no raw PII persistence by default).

0· 379·0 current·0 all-time
byVlad Rimsha@vladchatware
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the script requires curl/python3/date and a Gumroad credentials JSON, calls api.gumroad.com/v2/sales and /products, computes a daily summary, and writes outputs under memory/metrics/gumroad. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md just instructs the agent to run the included shell script. The script only reads the declared credentials file (or an optional override), makes HTTPS calls to Gumroad, writes a summary file, and optionally writes redacted raw files when --store-raw is passed. It does not read other system files or transmit data to unexpected endpoints.
Install Mechanism
No install spec — instruction-only plus a small bundled shell script. Nothing is downloaded or written outside the working directory except the output files under memory/metrics/gumroad. This is low-risk and proportionate for the stated purpose.
Credentials
The skill declares no required environment variables, but the script will honor an optional GUMROAD_CREDENTIALS_FILE env var as an override (not documented in SKILL.md). The primary credential is a local credentials.json file, which is appropriate. Note: the script passes the access token as a query parameter in curl requests (access_token=...), which can be logged in some systems — consider using an Authorization header if Gumroad supports it. Also verify that redaction covers any PII fields you care about before enabling --store-raw.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent configuration. It writes output only to memory/metrics/gumroad within the workspace and does not persist raw payloads unless explicitly requested by the user.
Assessment
This skill appears to do what it says, but take these precautions before installing or running it: - Verify the credentials file (~/.config/gumroad/credentials.json) exists and contains only the Gumroad access token; keep file permissions restrictive (chmod 600) as recommended. - Be cautious with --store-raw: inspect the raw-output redaction logic and confirm it removes all PII fields you consider sensitive (the script only removes keys 'email','full_name','name','buyer_email'). - The script sends the token as a URL query parameter, which can be captured in logs; if you prefer, run in a controlled environment or modify the script to use an Authorization header if Gumroad supports it. - Note the script respects an optional GUMROAD_CREDENTIALS_FILE env var (not documented in SKILL.md) — if you rely on that, ensure its value points to the intended file. - As with any third-party script, inspect the code yourself and run it in an isolated environment if you have concerns about credential exposure or file writes.

Like a lobster shell, security has layers — review code before you run it.

latestvk973cpep12td5v359gcsz3aaes825vy6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, python3, date
Config~/.config/gumroad/credentials.json

Comments