Bill Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is purpose-aligned, but it uses a long-lived session token to retrieve sensitive bill and balance information from a configured Bill Tracker server.
Before installing, make sure you trust the Bill Tracker server URL and understand that the session token can access private bills and account balances. Protect the token like a password and revoke or rotate it if it is ever exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can call the configured Bill Tracker API and return private financial information when asked.
The skill instructs the agent to use shell/curl for API calls. This is central to the skill's purpose and is scoped to user-requested financial queries, but users should recognize that it gives the agent a path to make authenticated network requests.
When the user asks about their bills, account balances, or whether they can afford something, use the `bash` tool to call the Bill Tracker API.
Use this only with a trusted BILL_TRACKER_URL, and check that requests are limited to the documented Bill Tracker endpoints.
Anyone or any tool with access to this token may be able to retrieve your Bill Tracker financial data.
The skill requires a long-lived session token that identifies the user and authorizes access to account balances, bills, and affordability information. This is expected for the purpose but sensitive.
`BILL_TRACKER_SESSION_TOKEN` - Session token for authentication ... Tokens are long-lived; no need to re-verify on every request.
Store the token securely, use the least-privileged account available, revoke or rotate it if exposed, and avoid configuring it for untrusted agents or shared environments.
You have limited external information to verify the publisher or intended Bill Tracker service.
There is no linked source repository or homepage for independent provenance review. The provided artifact is instruction-only, so this is not by itself suspicious, but it matters because the skill handles financial API access.
Source: unknown; Homepage: none
Confirm the skill publisher and the BILL_TRACKER_URL before adding your session token.