Intelligent Budget Tracker
v1.0.1Intelligent budget tracking and financial management library for AI agents - expense tracking, income management, budgets, savings goals, and LLM-powered insights
⭐ 4· 2.7k·9 current·9 all-time
byEric Kariuki@enjuguna
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the SKILL.md content describe a budget-tracking library (expenses, budgets, goals, analytics) and those features are coherent with the stated purpose. However, the registry metadata (slug: intelligent-budget-tracker) does not match the npm package name referenced in the instructions ('agent-money-tracker' / import 'agent-money-tracker' / variable 'clawhub'), which is an inconsistency that could be an editorial mistake or a sign of mismatch/typosquatting.
Instruction Scope
SKILL.md instructs consumers to npm install and import a third-party TypeScript library and shows APIs that read/write local data paths and perform exports/backups. It also references an environment variable (CLAWHUB_DATA_PATH) and platform-specific storage locations; that env var is not declared in the registry metadata. The instructions do not ask to exfiltrate data to external endpoints, but they do instruct file-system access and installing and running external code — both expected for such a library but sensitive and not fully documented here (no provenance or required credentials).
Install Mechanism
The registry contains no install spec, yet SKILL.md tells you to 'npm install agent-money-tracker'. Because the package source/homepage are unknown and the registry metadata lacks provenance, having the agent install a third-party npm package is a moderate risk: npm packages execute code when installed/required and can contain malicious logic. The instruction to install from the public npm ecosystem is expected for a library, but the absence of a declared, verifiable source (homepage or repo) raises concern.
Credentials
No environment variables or credentials are declared in the registry metadata, which is appropriate for a local-only budget tracker. However SKILL.md references CLAWHUB_DATA_PATH (to override data location) without that being declared. While the library does not request secrets or cloud credentials (proportional to purpose), the undocumented environment variable is a discrepancy that should be clarified.
Persistence & Privilege
No elevated persistence is requested: always is false, the skill is user-invocable, and there is no indication it modifies other skills or global agent configs. File-system writes are expected for local data storage but are limited to the library's own data paths per the documentation.
What to consider before installing
Before installing or letting an agent use this skill: 1) Verify the npm package name and author — search for 'agent-money-tracker' on the npm registry and check the package README, repository, and publish history. 2) Confirm the package's source (GitHub or other repo) and review its code for anything unexpected (network calls, credential access, postinstall scripts). 3) Treat the CLAWHUB_DATA_PATH env var as sensitive — set it to an isolated directory or sandbox and do not point it at system folders. 4) If you must run it, do so in a restricted/sandboxed environment (container or VM) and avoid running on systems with sensitive data. 5) If the registry entry and SKILL.md disagree (slug vs npm name), contact the publisher or avoid installing until the mismatch and provenance are resolved. These inconsistencies are not definitive proof of malicious intent, but they are good reasons to inspect the package and its source before trusting it.Like a lobster shell, security has layers — review code before you run it.
latestvk9715b0kphme1t0m0k0hczyzwh8088pt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.