Hledger
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill has a reasonable hledger purpose, but it passes user-supplied text directly into a shell, so crafted input could run non-hledger commands despite the documentation saying that is not possible.
Do not expose this skill to untrusted prompts, chat bots, or automated workflows until it is fixed. A safer version should call hledger without a shell, validate allowed arguments, and clearly document that it can read local financial ledger files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted request could cause commands outside hledger to run on the user's machine under the agent's local account.
Node child_process.exec runs through a shell, and the skill interpolates unescaped user-controlled input into that shell command.
exec(`hledger ${input}`, (err, stdout, stderr) => {Replace exec with execFile or spawn using an argument array, validate allowed hledger subcommands and flags, and reject shell metacharacters.
An agent or connected chat workflow could pass overly broad or unsafe command strings, especially because no approval or scoping boundary is documented.
The skill intentionally exposes a broad command surface, and the included code does not constrain the input to safe hledger arguments.
- Executes arbitrary `hledger` subcommands
Define a narrow set of supported read-only hledger operations, parse arguments explicitly, and require user confirmation for file-changing or unusual commands.
Users may trust the skill as limited to hledger when the actual boundary is weaker.
This safety claim is contradicted by the implementation, because prefixing input with hledger inside a shell does not prevent shell injection.
It does not allow arbitrary shell execution — only `hledger` commands are prefixed and executed.
Correct the documentation and fix the implementation before relying on this safety claim.
The skill will run whichever hledger executable is found locally, so an untrusted or unexpected PATH entry could change behavior.
The skill depends on an external local binary rather than a pinned bundled dependency, so behavior depends on the user's local PATH and hledger installation.
`hledger` must be installed and available in PATH
Use a trusted hledger installation, document the required binary in metadata, and consider resolving a fixed executable path.