Spend Ledger

If an agent passes an attacker-controlled filter value to query-log.sh, arbitrary Node.js code could run on the user's machine with the skill's local privileges.

User-controlled CLI filter values are interpolated directly into a Node.js -e JavaScript program. A crafted service, date, skill, or summary value containing quotes and JavaScript can break out of the string literal and execute code.

A user may install the skill believing it only sees outputs, while it can inspect payment inputs and may persist fragments of sensitive arguments locally.

This privacy claim is broader than the provided implementation: plugin.js reads tool params before execution, and detectors.js stores truncated argument summaries. Users could underestimate what payment-call data is visible to the skill.

The local ledger can contain financial history, service details, transaction identifiers, user-request context, and portions of payment tool arguments.

Detected payment records persist a truncated copy of payment tool arguments. This is local and aligned with transaction review, but payment arguments can include sensitive context or token-like fragments.

A bad or compromised pattern feed could cause false payment detections or affect duplicate-payment blocking behavior.

The skill automatically fetches and caches remote community patterns that influence what tool calls are treated as payments. This is disclosed and configurable, but it makes remote pattern provenance important.

Legitimate repeated payments with identical inputs in the same session may be blocked, and false positives in detection could interrupt expected work.

The plugin can block tool calls before execution when it believes a duplicate payment is being attempted. This is central to the stated purpose and disclosed, but it is a high-impact control over payment-capable tools.