Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
spend-ledger
v0.3.0Tamper-evident payment ledger for autonomous agents — auto-detects payments across all tools, prevents duplicate payments, and presents full spending history.
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (tamper-evident spend ledger, duplicate protection, detection) align with the code and hooks. The plugin registers before_tool_call and tool_result_persist hooks to detect and block duplicates and log transactions as described. Required binaries (node) and OS restrictions match the implementation. Minor metadata mismatch: package.json version 0.2.0 vs registry version 0.3.0 (documentation/packaging inconsistency).
Instruction Scope
SKILL.md and README claim all transaction data stays local and that no payment data is sent anywhere, but the implementation fetches community patterns from api.spend-ledger.com and can POST user-submitted patterns (submitPattern) including a stable submitter_hash. More importantly, the HTTP dashboard sets Access-Control-Allow-Origin: "*" which — combined with it binding to 127.0.0.1 and exposing endpoints that return transactions — allows a webpage open in the user's browser to fetch local transaction data and read it. Also the docs claim arguments are truncated and full arguments are never stored, but detectors extract a full URL (regex match) into the service.url field which appears to be stored; this can include sensitive query tokens if they appear in command arguments/URLs. There are a few doc/code mismatches about pattern sync frequency (docs mention hourly vs code uses 24h).
Install Mechanism
No automated download/install spec is present (no remote install step). The skill ships code files that run under node; this is expected. Network fetches (patterns.json) come from a single well-named host (api.spend-ledger.com). There is no install-time arbitrary archive download observed in the provided files.
Credentials
The skill requires no credentials and only optional env vars for port/URLs; that is proportionate. A privacy-related signal: it generates and stores a per-install UUID and uploads a SHA-256 submitter_hash when the user opts to submit patterns — this enables correlation of submissions across time but does not directly send transaction data. The code also stores tx_hash and idempotency_key in full (deliberate for deduplication).
Persistence & Privilege
The skill runs a local HTTP dashboard bound to 127.0.0.1 and periodically syncs community patterns in the background — both reasonable for the feature set. However, the server responds with permissive CORS headers (Access-Control-Allow-Origin: "*") and unauthenticated endpoints that return transactions and exports; this materially increases the risk of cross-origin data exfiltration via a user's browser. The skill is not marked always:true and does not alter other skills' configs.
What to consider before installing
This skill appears to implement the stated local ledger and duplicate-prevention features, but review these points before installing:
- Local HTTP dashboard CORS: The dashboard binds to 127.0.0.1 (local only) but returns Access-Control-Allow-Origin: "*". A malicious webpage you visit could issue fetch requests from your browser to the dashboard and read responses (including transaction lists) if the dashboard is running. If you run this, avoid visiting untrusted websites while the dashboard is running, or restrict access (run it only when needed).
- Remote pattern sync & submissions: The skill fetches patterns from api.spend-ledger.com automatically and can POST user-submitted patterns (including a stable submitter_hash). If you are offline or want zero network activity, block outbound access for this skill or set the SPEND_LEDGER_PATTERNS_URL env var to a safe local URL. Community patterns themselves are regex-like metadata and are not payment records, but they can change detection behavior.
- Potential sensitive URL storage: The code extracts a full URL from tool args into the service.url field; this may include query tokens or other secrets if tools are invoked with them. The README/TECHNICAL.md claim 'full arguments are never stored' is not strictly true in that service.url can capture full URLs. If your workflows ever pass secrets in URLs or tool args, inspect transactions.jsonl and the code in transactions.js to confirm redaction behavior before trusting it.
- Least privilege & isolation: Run the skill in a single-user, non-shared environment and ensure data/ directory permissions are correct (the project attempts 0600). Consider running the dashboard only when needed; you can also firewall/block outbound access to api.spend-ledger.com if you do not want remote pattern syncing.
- If you need higher assurance: review transactions.js (appendTransaction and any sanitization) and test the endpoints (GET /api/transactions) locally to confirm exact fields returned. If you require guaranteed zero network I/O or CORS-safe behavior, request modifications (disable auto-sync, remove wildcard CORS, or add optional auth) from the maintainers.
Given the combination of mostly coherent functionality but these privacy/exfiltration implementation details, treat this skill as usable with caution rather than safe-by-default.test/test.js:368
Shell command execution detected (child_process).
server/patterns-sync.js:21
Environment variable access combined with network send.
test/test.js:371
Environment variable access combined with network send.
server/patterns-sync.js:13
File read combined with network send (possible exfiltration).
test/test.js:3
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fknn217v4vabj4rye86hrhs83yxfq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis
OSmacOS · Linux
Binsnode