Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiao Expense Tracker

v1.0.0

记账工具 - 收支记录、分类统计、预算管理

0· 38·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md implements an expense-tracking CLI that calls `clawhub expense ...`, which is consistent with the stated purpose. However the included _meta.json lists a required binary `curl` (and the README suggests installing via `npx clawhub@latest install expense-tracker`), while the registry metadata reported no required binaries. The skill also assumes availability of a `clawhub` CLI but does not declare that dependency. These mismatches are unexplained and disproportionate to a simple tracker.
Instruction Scope
The SKILL.md instructions are narrowly scoped: they show CLI commands to add income/expense, view stats, and set budgets. There are no instructions to read arbitrary files, environment variables, or send data to unexpected endpoints. The only operational assumption is the presence of a `clawhub` CLI.
Install Mechanism
There is no formal install spec (instruction-only), which limits surface risk. However the README suggests using `npx clawhub@latest install expense-tracker` — that would fetch and run code from npm at install time. Because the skill lacks an explicit install specification and homepage/source, following the README's npx flow could download arbitrary code. This is a moderate installation risk unless you verify the npm package and its contents first.
Credentials
The skill declares no required environment variables or credentials in the registry metadata and SKILL.md doesn't request any secrets. That is proportional to the claimed functionality. Still, the _meta.json mentions `bins: ["curl"]` which is not used in the SKILL.md; this mismatch is unexplained but not directly credential-related.
Persistence & Privilege
The skill is not marked always:true and uses default autonomous invocation settings. It does not request persistent system-wide configuration or other skills' credentials. No elevated privileges are declared.
What to consider before installing
This skill appears to be a simple CLI-based expense tracker, but there are inconsistencies you should resolve before installing: 1) SKILL.md assumes a `clawhub` CLI is present — confirm what `clawhub` is and whether you trust it. 2) README suggests installing via `npx`, which would download and run code from npm — inspect the npm package (author, code, maintainers, and versions) before running npx. 3) _meta.json lists `curl` as a required binary even though SKILL.md never uses it; ask the publisher why. 4) There is no homepage or verified source and the package owner is not a known entity in the metadata — prefer skills with a clear source repository or publisher. If you still want to try it, do so in a sandbox, review the npm package contents first, and avoid running installs as an elevated user.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hp04excdqeecbdvwmjp1w185bdsw
38downloads
0stars
1versions
Updated 17h ago
v1.0.0
MIT-0

Expense Tracker

记账工具,帮助管理个人财务。

功能

  • ✅ 收支记录
  • ✅ 分类统计
  • ✅ 预算管理
  • ✅ 报表导出
  • ✅ 多账户支持

使用

# 添加支出
clawhub expense add --amount 50 --category "餐饮" --note "午餐"

# 添加收入
clawhub expense income --amount 5000 --category "工资"

# 查看统计
clawhub expense stats --month 2026-04

# 设置预算
clawhub expense budget --category "餐饮" --limit 1500

定价

版本价格功能
免费版¥0基础记账
Pro 版¥49预算 + 报表
订阅版¥12/月Pro+ 多账户

Comments

Loading comments...