好运莲莲
AdvisoryAudited by Static analysis on Apr 17, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your spending records, income entries, notes, and reflections may remain on disk and be used later by the skill.
The skill persistently stores personal financial records and memo/reflection content in local JSONL files. This is expected for the stated purpose, but the data is sensitive and reused for future queries and insights.
`transactions.jsonl`:账目流水 - `memos.jsonl`:备忘与感悟 ... - 主体数据只存本地 JSONL,不写入 memory
Only store information you are comfortable keeping locally, protect the Hermes home directory, and periodically review or delete old records.
A mistaken update/delete request could change or remove a local bookkeeping or memo entry.
The skill documents commands that modify or delete the most recent local bookkeeping record. This is purpose-aligned, but the `--last` behavior depends on local context and can affect the wrong record if misunderstood.
python SKILL_DIR/scripts/records.py transaction-update --last --amount 28 python SKILL_DIR/scripts/records.py transaction-delete --last
Ask the agent to show the target record before deleting or modifying it, especially when using “last” or “刚才那条” style references.
Reminders or digest jobs can continue after the original chat session and may send future messages.
The skill uses persistent cron jobs that run in future sessions for reminders or subscription digests. The artifacts say subscriptions are created only when explicitly enabled, so this is disclosed and purpose-aligned.
cron job 在全新 session 里运行,没有当前对话上下文;prompt 必须自包含
Enable scheduled jobs only when you want them, and use the documented cancel/disable flows for reminders or weekly/monthly digests you no longer need.
It may be harder to independently verify the author, change history, or maintenance status.
The registry information does not provide a source repository or homepage. No malicious behavior is shown, but provenance is limited.
Source: unknown Homepage: none
Review the included files and owner information before installing, especially because the skill handles private personal data.