Expense Tracker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or injected date/month value could corrupt or expose local markdown files outside the expense tracker’s normal folder.
The script uses user-supplied date/month strings directly in a filesystem path without validating the YYYY-MM format or rejecting path separators such as ../. A malformed argument could cause reads, appends, or backups outside the intended expenses directory.
year_month = date[:7] # YYYY-MM
...
return expenses_dir / f"{year_month}.md"
...
summary_parser.add_argument("year_month", nargs="?", help="Year-month (YYYY-MM, defaults to current month)")Validate dates and months with strict patterns, reject slashes and dot-dot path segments, resolve the final path, and enforce that it remains inside the intended expenses directory.
Anyone or any sync service with access to those local folders may be able to see expense details and descriptions.
The skill stores and duplicates personal spending records persistently on disk. This is disclosed and central to the skill, but the data may be sensitive.
Expenses are stored in `expenses/` directory at workspace root... Before every write, the script automatically backs up the current expense file to: `~/Documents/expenses_backup/YYYY-MM.md`
Avoid recording highly sensitive descriptions unless needed, and consider securing, excluding, or deleting backups if the Documents folder is synced or shared.