Skillv1.0.0

ClawScan security

Hledger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 28, 2026, 5:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims (runs hledger) but its implementation allows shell injection and its documentation incorrectly states it blocks arbitrary shell execution.
Guidance: This skill wraps the local hledger CLI but its code uses child_process.exec with unescaped user input, which can be exploited to run arbitrary shell commands. Before installing or using it: (1) avoid running it on systems with sensitive data or where untrusted inputs could be supplied; (2) prefer a patched version that uses execFile/spawn with an argument array or a strict whitelist of allowed subcommands/flags to eliminate shell interpolation; (3) require explicit user confirmation for any inputs containing unusual characters; (4) ensure hledger is installed from a trusted source and that ledger files have appropriate read permissions; (5) if you maintain the skill, replace exec with a safer API, validate/sanitize input, or sandbox the runtime (container/VM) to limit blast radius.

Purpose & Capability: noteThe name/description match the implementation: the skill wraps the local hledger CLI. Minor metadata mismatch: registry metadata lists no required binaries whereas SKILL.md correctly notes that an hledger binary must be present in PATH.
Instruction Scope: concernSKILL.md states the skill 'does not allow arbitrary shell execution — only hledger commands are prefixed and executed', but the runtime instructions (index.js) use child_process.exec with a single interpolated string (`hledger ${input}`), which permits shell metacharacter injection (e.g., `;`, `&&`, backticks). That contradicts the security claim and allows execution of arbitrary shell commands if a malicious or malformed input is passed.
Install Mechanism: okNo install spec is provided (instruction-only style with a small index.js). Nothing is downloaded or written during install, which minimizes install-time risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does require the hledger binary and read access to local ledger files, which is appropriate for its purpose.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated persistence or modify other skills. It can be invoked autonomously (default), which combined with the injection risk increases potential impact but is not a mis-declaration by itself.