Cashflow
ReviewAudited by ClawScan on May 10, 2026.
Overview
CashFlow is a local-only finance logger, but its remove command says it deleted an entry while the code leaves the record in place.
Review this skill before installing if you need reliable deletion of financial records. It appears local-only and has no network or credential use, but its `remove` command does not actually remove entries, so sensitive data may persist in `data.log` and `history.log`.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe a sensitive financial entry was deleted when it actually remains on disk.
The implementation reports that an entry was removed but does not edit `data.log`; this conflicts with SKILL.md's documented `cashflow remove <entry>` command to 'Remove an entry'.
cmd_remove() { echo " Removed: $1"; _log "remove" "${1:-}"; }Do not rely on `cashflow remove` for deletion unless the command is fixed; manually inspect and edit or delete `data.log` and `history.log` when removing sensitive records.
Finance entries and command history can remain on the local machine in plain files and may be printed or exported by the tool.
The skill intentionally persists personal cashflow entries and command history in local files, which is purpose-aligned but may contain sensitive financial details.
All data is stored locally in `~/.local/share/cashflow/` ... `history.log` — Timestamped audit trail of every command executed
Use it only on trusted machines, avoid recording secrets, set `CASHFLOW_DIR` to an appropriate private location, and review both `data.log` and `history.log` for retained sensitive data.