receipt-expense-workbench

PassAudited by ClawScan on May 1, 2026.

Overview

This is a coherent local expense-ledger helper with no evident hidden networking, credential use, or destructive behavior.

This skill appears safe for its stated purpose. Before installing or using it, remember that receipts and reimbursement records can contain sensitive financial or business information, so provide only the files needed, write outputs to a safe location, and inspect the generated ledger before sharing it.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If run with the wrong output path, the script could overwrite a local file with the generated ledger; the ledger may also contain private reimbursement details.

Why it was flagged

The helper script reads a user-specified JSON file and writes a CSV output path. This is central to the skill's purpose, but it means users should choose input and output paths deliberately to avoid unintended overwrites or exposure of expense data.

Skill content

ap.add_argument("items_json", help="JSON list with vendor/date/amount/description")
ap.add_argument("--out", default="expense_ledger.csv")
items = json.load(open(args.items_json, "r", encoding="utf-8"))
with open(args.out, "w", encoding="utf-8", newline="") as f:

Recommendation

Run it only on files you intend to process, use an explicit safe output filename, and review the CSV before sharing or submitting it.