abe-expense-tracker-pro
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for expense tracking, but it sends and stores sensitive expense data through the SkillBoss/HeyBoss API and has some setup and reliability disclosure gaps.
This skill appears generally safe for its stated purpose, but only use it if you are comfortable sending expense details to SkillBoss/HeyBoss and storing them in its KV service. Configure the required API key carefully, review logged entries, and verify reports before relying on them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill requires giving it access to a SkillBoss API key used for chat and storage requests.
The code requires a bearer API key for the SkillBoss API. This is expected for the provider integration, but it is still sensitive account authority users should understand.
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"] ... headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}"Use a dedicated, least-privileged API key if possible and revoke it if you stop using the skill.
Expense descriptions, budgets, and related prompts may be processed by the external SkillBoss/HeyBoss service.
User messages and storage operations are routed to an external provider endpoint. This is disclosed in SKILL.md, but expense data can include sensitive financial information.
API_BASE = "https://api.heybossai.com/v1" ... requests.post(f"{API_BASE}/pilot", ... json=body, timeout=60)Avoid entering highly sensitive details unless you are comfortable with that provider processing the data.
Logged expenses and budgets may remain available across future conversations.
The skill intentionally stores financial records persistently. This is purpose-aligned, but persistent data can affect later sessions and the artifacts do not specify retention or deletion controls.
Data persists via SkillBoss KV storage ... All data persists in SkillBoss KV storage across sessions
Confirm how to delete or export your stored expense data before relying on it for sensitive financial tracking.
If the model misinterprets a message, it could save an incorrect expense entry.
A model-produced JSON response directly changes the stored expense list. This is central to the skill's purpose, but there is no confirmation step in the artifact.
if parsed.get("action") == "log": ... data["expenses"].append(entry) ... save_data(data)Review logged entries and prefer explicit wording when recording expenses.
The skill may fail or surprise users unless SKILLBOSS_API_KEY is configured.
Registry metadata does not declare the API key requirement shown in SKILL.md and main.py. This is a setup/provenance gap, not evidence of hidden execution.
Required env vars: none ... No install spec — this is an instruction-only skill.
Treat the SKILLBOSS_API_KEY requirement as mandatory despite the registry metadata gap.
Spending summaries or reports could be incomplete or inaccurate.
For reporting requests, the model appears to receive only the expense count and budgets, not the full expense list. This may make summaries less reliable than the documentation suggests.
context = f"\nCurrent expenses count: {len(data['expenses'])}" ... context += f"\nBudgets: {json.dumps(data['budgets'])}"Verify any financial summary against the underlying expense records before making decisions.