记账工具
v1.0.0Personal bookkeeping tool — record income, expenses, transfers, manage accounts and categories, track budgets, and generate financial reports via local CLI c...
⭐ 1· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (personal bookkeeping with local SQLite) align with the provided files and commands. The code imports better-sqlite3 and performs account/transaction/category operations consistent with the stated functionality. No unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions ask the agent to run the included scripts/book.mjs under node with JSON args and to init/operate a local SQLite DB. This is within scope for a bookkeeping tool. However, running the script executes arbitrary JavaScript on the host and that code can read/write files and perform other programmatic actions — the SKILL.md does not explicitly constrain filesystem or network access, so you should review the script before running in a sensitive environment.
Install Mechanism
No formal install spec is provided (instruction-only), but SKILL.md tells the operator to install the native package better-sqlite3 via `npm install -g better-sqlite3` if missing. Installing a global npm native module pulls code from the public registry and may require elevated privileges; it's a reasonable dependency for local SQLite but has moderate risk compared to an instruction-only skill with no install steps.
Credentials
The skill requires no environment variables, credentials, or external config paths. That is proportionate to a local-only bookkeeping tool. There are no requests for unrelated secrets or external tokens.
Persistence & Privilege
The skill is not set to always:true and does not claim to modify other skills or global agent settings. It stores its own data in a local SQLite DB (expected for this purpose). Autonomous invocation is allowed by default but not, by itself, a red flag.
Assessment
This skill appears coherent for local personal bookkeeping, but it runs a Node script on your machine and asks you to install a native npm package globally. Before installing or invoking it: 1) inspect scripts/book.mjs (search for network APIs like fetch/http/https, child_process usage, or references to absolute paths such as /root, ~/.ssh, /etc); 2) avoid running `npm install -g` as root — prefer a local install (npm install --no-save or in a sandboxed environment) or use a container/VM; 3) run the tool in an isolated/sandboxed environment (or with networking disabled) until you've audited it; 4) back up any important data and check where the SQLite DB will be created to avoid accidental overwrites; 5) confirm there are no unexpected external endpoints or telemetry before giving it access to sensitive files. If you want higher confidence, provide the full, untruncated scripts/book.mjs for a complete code audit.Like a lobster shell, security has layers — review code before you run it.
latestvk97as3842ahb762a8d7npmca8x8443yh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.