Cashflow
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe a sensitive financial entry was deleted when it actually remains on disk.
The implementation reports that an entry was removed but does not edit `data.log`; this conflicts with SKILL.md's documented `cashflow remove <entry>` command to 'Remove an entry'.
cmd_remove() { echo " Removed: $1"; _log "remove" "${1:-}"; }Do not rely on `cashflow remove` for deletion unless the command is fixed; manually inspect and edit or delete `data.log` and `history.log` when removing sensitive records.
Finance entries and command history can remain on the local machine in plain files and may be printed or exported by the tool.
The skill intentionally persists personal cashflow entries and command history in local files, which is purpose-aligned but may contain sensitive financial details.
All data is stored locally in `~/.local/share/cashflow/` ... `history.log` — Timestamped audit trail of every command executed
Use it only on trusted machines, avoid recording secrets, set `CASHFLOW_DIR` to an appropriate private location, and review both `data.log` and `history.log` for retained sensitive data.