Receipt Subscription Cleaner
PassAudited by ClawScan on May 1, 2026.
Overview
This read-only receipt-audit skill is coherent and includes privacy guardrails, but users should remember it may handle sensitive receipt or email data.
This skill appears safe for a read-only subscription audit. Before installing or using it, limit the receipts or exports you provide, prefer offline files over account connections, use read-only scopes for any optional integration, and confirm that cancellation messages are only drafted rather than sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the skill could read receipt-related account or email data through an integration.
The skill may use delegated email or API access when the user explicitly asks, which is sensitive account authority even though it is purpose-aligned and limited to read-only scopes.
If API access is explicitly requested, use read-only scopes only.
Prefer offline exports when possible; if connecting an account, grant only read-only, receipt-specific access and revoke it after the audit.
Receipts and email exports may reveal personal spending patterns, addresses, partial card details, and subscription history.
The main inputs can contain sensitive financial, address, and purchase-history information; the skill acknowledges this with local-storage and redaction guidance.
Receipt sources (email export, PDF folder, or CSV list).
Provide only the files and time window needed for the audit, and review outputs to ensure sensitive fields are redacted.
If webhook automation is configured, receipt metadata could be passed into the workflow automatically.
Optional webhook-style receipt triggers introduce an inbound data flow containing email metadata and attachment references; the artifact also says to treat inbound data as untrusted.
Optional: trigger when a new receipt arrives. Payload should include sender, subject, date, and attachment reference.
Only enable webhook triggers from trusted sources, keep payloads minimal, and verify that inbound receipt data is sanitized before use.