Ledger
AdvisoryAudited by VirusTotal on Mar 21, 2026.
Overview
Type: OpenClaw Skill Name: ledger Version: 1.0.0 The ledger skill is a straightforward CLI tool for tracking financial entries locally in ~/.ledger. The shell script (scripts/script.sh) implements basic CRUD operations and data export without any network activity, obfuscation, or attempts to access sensitive system files. While the script contains minor vulnerabilities such as potential injection in the sed-based config command, there is no evidence of malicious intent or harmful behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the tool can delete local ledger entries or create export files containing ledger data.
The remove command deletes a line from the local ledger data file, and the export command copies ledger data to a file. These actions are disclosed and fit the ledger purpose, but they can alter or duplicate user financial records.
sed -i "${num}d" "$DATA_DIR/data.jsonl" ... cp "$DATA_DIR/data.jsonl" "$out"Use remove and export intentionally, and review exported files before sharing or storing them elsewhere.
Financial records entered into the tool remain on the local machine and may be visible to anyone or anything with access to that directory.
The script persists user-entered ledger entries in a local data file under ~/.ledger by default. This is expected for a ledger tool, but the entries may contain sensitive financial or business information.
DATA_DIR="${LEDGER_DIR:-$HOME/.ledger}" ... printf '{"ts":"%s","cmd":"%s","val":"%s"}\n' ... >> "$DATA_DIR/data.jsonl"Avoid storing secrets in ledger entries, protect the ~/.ledger directory appropriately, and use LEDGER_DIR if you want the data stored somewhere else.