ClawHub

Expense Tracker

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill mostly matches its expense-tracking purpose, but malformed date or month inputs could make its script read or append to files outside the intended expense folder.

Use this only if you are comfortable storing expense details locally in markdown files and backups. Until date/month validation is tightened, use normal YYYY-MM-DD and YYYY-MM values only, and review what the agent is about to log when expenses are inferred from conversation.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI02: Tool Misuse and Exploitation
What this means

A bad or injected date/month value could corrupt or expose local markdown files outside the expense tracker’s normal folder.

Why it was flagged

The script uses user-supplied date/month strings directly in a filesystem path without validating the YYYY-MM format or rejecting path separators such as ../. A malformed argument could cause reads, appends, or backups outside the intended expenses directory.

Skill content
year_month = date[:7]  # YYYY-MM
...
return expenses_dir / f"{year_month}.md"
...
summary_parser.add_argument("year_month", nargs="?", help="Year-month (YYYY-MM, defaults to current month)")
Recommendation

Validate dates and months with strict patterns, reject slashes and dot-dot path segments, resolve the final path, and enforce that it remains inside the intended expenses directory.

Note
ASI06: Memory and Context Poisoning
What this means

Anyone or any sync service with access to those local folders may be able to see expense details and descriptions.

Why it was flagged

The skill stores and duplicates personal spending records persistently on disk. This is disclosed and central to the skill, but the data may be sensitive.

Skill content
Expenses are stored in `expenses/` directory at workspace root... Before every write, the script automatically backs up the current expense file to: `~/Documents/expenses_backup/YYYY-MM.md`
Recommendation

Avoid recording highly sensitive descriptions unless needed, and consider securing, excluding, or deleting backups if the Documents folder is synced or shared.