ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Expense Tracker

v1.0.0

Track daily expenses in structured markdown files organized by month. Use when the user wants to log spending, view expense summaries, analyze spending patte...

0· 662·1 current·1 all-time
byLoc Vo@aholake·duplicate of @aholake/expense-tracker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (expense logging, summaries, categories) match the included script and SKILL.md instructions. The skill asks for no unrelated credentials or binaries and only needs filesystem access to store markdown files under a workspace — this is proportionate to the stated purpose.
Instruction Scope
Runtime instructions only run the bundled Python script (scripts/log_expense.py) to log or summarize expenses. The script reads/writes files under a workspace (default ~/.openclaw/workspace/expenses) and does not access network, other system configuration, or unrelated files. The SKILL.md and script explicitly document the optional --workspace override.
Install Mechanism
There is no install specification (instruction-only plus a small bundled script). Nothing is downloaded or executed from external URLs, so installation risk is low.
Credentials
The skill requests no environment variables or credentials. The script does not read secrets or external config; it only accepts an optional --workspace path argument. This is proportional to logging and summarizing expenses.
Persistence & Privilege
always:false and no special privileges are requested. The only persistent effect is creating/updating markdown files in the chosen workspace directory (default under the user's home). The skill does not modify other skills or global agent configuration.
Assessment
This skill appears coherent and low-risk, but consider the following before installing: 1) The script stores expense data as plaintext markdown under a workspace (default: ~/.openclaw/workspace/expenses) — avoid storing sensitive account numbers. 2) You can pass --workspace to confine files to a project or sandbox; consider doing so. 3) The source/owner is unknown — you can manually review the short Python script (included) and run it locally to confirm behavior before allowing any automated invocation. 4) Because the agent can invoke skills autonomously by default, decide whether you want the agent to log expenses without explicit confirmation; otherwise invoke the skill manually. 5) Back up or protect the expenses directory if you care about privacy. Overall the code is short, readable, and consistent with the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fppq39mv0h7jyvn4nzps5q9818jm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments