Ledger
PassAudited by ClawScan on May 1, 2026.
Overview
Ledger appears to be a simple local ledger tool that stores user-entered financial records on disk, with no evidence of network access, credential use, or hidden behavior.
This skill looks safe for a local ledger utility, but treat entries and exports as sensitive financial data. Review deletion and export actions before use, and protect or relocate the ~/.ledger data directory if needed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the tool can delete local ledger entries or create export files containing ledger data.
The remove command deletes a line from the local ledger data file, and the export command copies ledger data to a file. These actions are disclosed and fit the ledger purpose, but they can alter or duplicate user financial records.
sed -i "${num}d" "$DATA_DIR/data.jsonl" ... cp "$DATA_DIR/data.jsonl" "$out"Use remove and export intentionally, and review exported files before sharing or storing them elsewhere.
Financial records entered into the tool remain on the local machine and may be visible to anyone or anything with access to that directory.
The script persists user-entered ledger entries in a local data file under ~/.ledger by default. This is expected for a ledger tool, but the entries may contain sensitive financial or business information.
DATA_DIR="${LEDGER_DIR:-$HOME/.ledger}" ... printf '{"ts":"%s","cmd":"%s","val":"%s"}\n' ... >> "$DATA_DIR/data.jsonl"Avoid storing secrets in ledger entries, protect the ~/.ledger directory appropriately, and use LEDGER_DIR if you want the data stored somewhere else.