Cashflow
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: cashflow Version: 2.0.1 The CashFlow skill is a simple Bash-based utility for logging and searching local text entries. Analysis of 'scripts/script.sh' and 'SKILL.md' shows no network activity, no credential access, and no suspicious execution patterns; it strictly manages data within a local directory (~/.local/share/cashflow/).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe a sensitive financial entry was deleted when it actually remains on disk.
The implementation reports that an entry was removed but does not edit `data.log`; this conflicts with SKILL.md's documented `cashflow remove <entry>` command to 'Remove an entry'.
cmd_remove() { echo " Removed: $1"; _log "remove" "${1:-}"; }Do not rely on `cashflow remove` for deletion unless the command is fixed; manually inspect and edit or delete `data.log` and `history.log` when removing sensitive records.
Finance entries and command history can remain on the local machine in plain files and may be printed or exported by the tool.
The skill intentionally persists personal cashflow entries and command history in local files, which is purpose-aligned but may contain sensitive financial details.
All data is stored locally in `~/.local/share/cashflow/` ... `history.log` — Timestamped audit trail of every command executed
Use it only on trusted machines, avoid recording secrets, set `CASHFLOW_DIR` to an appropriate private location, and review both `data.log` and `history.log` for retained sensitive data.