Back to skill
Skillv1.0.1
ClawScan security
AI Economic Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 11:54 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and runtime data needs are consistent with its stated purpose: local bookkeeping and simple economic decision recommendations with no external network access or secret requirements.
- Guidance
- This skill appears coherent and low-risk: it stores data locally in ~/.openclaw/workspace/data/economics (or a custom path you set), requires no API keys, and makes no network calls. Before installing, consider: (1) confirm you are comfortable with JSONL transaction logs being written under your home directory, and (2) if you plan to have an agent call exec(...) to run the script, be aware that the agent will spawn a subprocess to run the CLI (normal for CLI skills). If either behavior is unacceptable, change the ECONOMIC_TRACKER_DATA_DIR or avoid autorunning the skill with cron/automated agent workflows.
Review Dimensions
- Purpose & Capability
- okName/description match the included tracker.py and SKILL.md: the skill tracks balance, logs income/costs, estimates service value from built-in wage data, and recommends work/learn decisions. No unrelated privileges (cloud credentials, network access) are requested.
- Instruction Scope
- noteSKILL.md instructs running the bundled tracker.py (CLI examples, cron entry, and an example exec() call from an agent). Those instructions run only the local script which reads/writes JSONL files in the specified data directory and reads optional environment variables. The exec() example asks the agent to run a shell command — this is expected for a CLI skill but means the agent will execute a subprocess when invoked.
- Install Mechanism
- okNo install spec is provided (instruction-only install). Files are present in the package but nothing is downloaded or extracted at install time. tracker.py uses only Python standard library.
- Credentials
- okNo required environment variables or secrets. Several optional ENV vars control data location and thresholds which are proportional to the skill's configuration needs. No credentials or unrelated service keys are requested.
- Persistence & Privilege
- okThe skill is not always-enabled, can be invoked by the user/agent, and only writes to its own data directory (default under ~/.openclaw/workspace/data/economics). It does not modify other skills or system-wide configs.