Skillv1.0.0

ClawScan security

Personal Finance Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 12:42 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and storage model are consistent with a local, privacy‑focused personal finance helper; it requests no credentials or external installs and only writes local files with user consent.
Guidance: This skill appears coherent and privacy‑focused, but consider these practical checks before installing: 1) Verify you trust the publisher/homepage (source is listed as unknown in the registry). 2) When asked to enable continuity, only opt in if you want a local folder under ~/personal-finance-tracker/ and avoid storing raw statements or full account numbers. 3) The included tools are plain Python scripts that read CSVs and print summaries — ensure python3 is available in your environment before running. 4) Review the small Python files yourself (they are short and offline) if you want extra assurance that nothing transmits data. 5) If you plan to keep sensitive data locally, consider encrypting the folder or using a secure location. Overall this looks consistent with the stated purpose.

Purpose & Capability: okName/description match the included artifacts: two small Python CSV tools (cashflow_rollup.py, recurring_scan.py), documentation, and playbooks for reviews and debt triage. Nothing requested (no env vars, no external binaries) is outside what's needed for CSV analysis and local notes.
Instruction Scope: okRuntime instructions limit activity to processing user-provided CSVs and creating an opt-in local workspace. SKILL.md and setup.md explicitly require asking before creating ~/personal-finance-tracker/ and advise against storing full statements or credentials.
Install Mechanism: noteNo install spec (instruction-only) and included Python scripts are local and deterministic with no network calls. Minor note: the skill doesn't declare required binaries but expects python3 to run the scripts; this is typical but you may want to confirm python3 is available in your agent environment.
Credentials: okNo environment variables, credentials, or remote endpoints are requested. Metadata mentions a local config path (~/personal-finance-tracker/) but storage is explicitly opt-in and limited to high-level context (balances, recurring bills, notes), not account numbers or credentials.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill may create local files only with user consent and does not request system-wide or other-skills privileges.