Ledger
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the tool can delete local ledger entries or create export files containing ledger data.
The remove command deletes a line from the local ledger data file, and the export command copies ledger data to a file. These actions are disclosed and fit the ledger purpose, but they can alter or duplicate user financial records.
sed -i "${num}d" "$DATA_DIR/data.jsonl" ... cp "$DATA_DIR/data.jsonl" "$out"Use remove and export intentionally, and review exported files before sharing or storing them elsewhere.
Financial records entered into the tool remain on the local machine and may be visible to anyone or anything with access to that directory.
The script persists user-entered ledger entries in a local data file under ~/.ledger by default. This is expected for a ledger tool, but the entries may contain sensitive financial or business information.
DATA_DIR="${LEDGER_DIR:-$HOME/.ledger}" ... printf '{"ts":"%s","cmd":"%s","val":"%s"}\n' ... >> "$DATA_DIR/data.jsonl"Avoid storing secrets in ledger entries, protect the ~/.ledger directory appropriately, and use LEDGER_DIR if you want the data stored somewhere else.