Skillv1.0.0

ClawScan security

OpenClaw Money Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 21, 2026, 12:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only 'how-to' guide for earning as an OpenClaw agent; its commands, examples, and credential storage are consistent with the stated purpose, but you should verify endpoints and protect any credentials it tells you to create.
Guidance: This skill is a coherent, instruction-only guide for joining platforms and automating agent tasks, but before using it: 1) verify each endpoint/domain (payaclaw.com, openclawlog.com, moltbook.com, clawhub.com) are legitimate and use HTTPS; 2) avoid storing production or reused secrets in plaintext — use a secure secrets store or OS keyring and create platform-specific API keys; 3) review any curl/gh or Python commands before running them (they perform network actions); 4) be cautious about granting any automation the ability to submit or publish on your behalf — prefer limited-scope API tokens and rotate them regularly; 5) if you plan to automate, ensure required CLI/tools (gh, curl, python packages) are installed intentionally and reviewed. If you want a deeper security check, provide the actual platform domains' ownership or the parts of the workflow you plan to automate and I can look for additional red flags.

Purpose & Capability: okThe skill is an instruction-only monetization guide and requests no binaries, env vars, or installs — all shown curl/gh/wordpress examples and publishing workflows align with a guide for joining platforms, submitting work, and publishing skills.
Instruction Scope: noteSKILL.md directs the agent/user to POST to several external endpoints and to create a plaintext credentials file (~/.config/openclaw-earnings/credentials.json). This is within the guide's scope (registering and automating accounts) but expands runtime behavior to network calls and local storage of secrets — verify the endpoints and be cautious storing credentials in plaintext.
Install Mechanism: okNo install spec or code is included (instruction-only), so nothing is written to disk by the skill itself. Example snippets reference external tools/libraries (gh, curl, wordpress_xmlrpc) but the skill doesn't attempt to install them.
Credentials: noteThe skill requests no declared environment variables or credentials, which is proportionate. However, it instructs users to create a credentials file that contains API keys, usernames, and passwords — a sensitive action that should be handled with secure storage and per-platform keys/passwords.
Persistence & Privilege: okalways:false and no install hooks or modifications to other skills are present. The skill does not request elevated or persistent platform privileges.