Jackzhang Expense Receipt Organizer

The skill's stated purpose (OCR receipts → CSV + ZIP) matches what its instructions describe, but it instructs the agent to dynamically install an npm package at runtime and to collect sensitive bank/account information without guidance about local-only handling — those behaviors increase risk and deserve caution.

This skill appears to do what it claims, but exercise caution before installing/running it: 1) The instructions tell the assistant to run 'npm install tesseract.js' at runtime with no pinned version or integrity checks — installing packages dynamically can execute arbitrary code. Only proceed if you trust the environment and the network source. 2) The skill asks for bank account info and will process sensitive files; confirm that processing will remain local and that temporary files are securely deleted. 3) If possible, pin package versions or provide a vetted package bundle (and/or run the process in an isolated VM/container). 4) Request the author to add explicit privacy/retention guidance (local-only processing, no uploads, how temp files are removed) and to pin npm dependency versions or include a lockfile to reduce supply-chain risk.