Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Budget
v2.1.0Personal budget management with privacy-first local storage. Use when user mentions setting a budget, tracking spending, logging expenses, checking budget st...
⭐ 0· 310·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (local, privacy-first budget management) aligns with the files provided: the scripts read/write JSON under a local workspace path and include budget/expense operations. However, the SKILL.md advertises many additional scripts and features (category_status.py, overage_analysis.py, generate_report.py, export_data.py, alert management scripts, etc.) that are referenced in documentation but are not present in the file manifest. This is an inconsistency between claimed capabilities and included code.
Instruction Scope
SKILL.md directs the agent to run many scripts and shows workflows that rely on scripts that don't exist in the package. The instructions otherwise confine operations to local storage and do not instruct any network or credential access; the included scripts operate only on local JSON files under ~/.openclaw/workspace/memory/budget. Missing script references give the agent broad but unfulfilled expectations and could lead to runtime errors or unintended fallbacks.
Install Mechanism
There is no install spec (instruction-only), which minimizes risk because nothing is downloaded or installed automatically. All code present is plain Python scripts that would be executed locally if invoked.
Credentials
The skill requests no environment variables, no credentials, and the scripts do not access external config or secret stores. They create/read/write files under a user-scoped path (~/.openclaw/workspace/memory/budget), which is proportional for a local budgeting tool.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. Its persistence is limited to storing JSON under the user's workspace directory; this is expected for a local data-focused tool.
What to consider before installing
This skill mostly looks like a local, privacy-first budgeting tool: scripts read and write JSON files under ~/.openclaw/workspace/memory/budget and there are no network calls or credential requests. However, the SKILL.md repeatedly references many scripts and features that are not included in the package (reports, exports, alert scripts, category_status/overage_analysis/generate_report/export_data, etc.). Before installing or using it: 1) ask the publisher why those referenced scripts are missing or request a complete release; 2) inspect any additional scripts before running them; 3) be aware the provided scripts write to ~/.openclaw/workspace/memory/budget — back up any existing data there and confirm you are comfortable with that path; 4) run the code in an isolated environment (or sandbox) if you want to test; and 5) if you need the missing features, require the author to supply them or update the documentation. The mismatch between documentation and included code is the main reason this is flagged as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
budgetvk97b7w1w8rphyscsk6q0fyv52x82k58sfinancevk97b7w1w8rphyscsk6q0fyv52x82k58slatestvk970cbyardmx84e0vhbtnw0k7582jjhnmoneyvk97b7w1w8rphyscsk6q0fyv52x82k58spersonalvk973eqasc3w67z3932h6akr0rn82f7stpersonal-financevk97b7w1w8rphyscsk6q0fyv52x82k58sspendingvk97b7w1w8rphyscsk6q0fyv52x82k58s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.