Back to skill
Skillv1.0.0
ClawScan security
Daily Income Logger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:46 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and data access are coherent with a local daily income logger — it reads/writes a JSON file under the user's home directory and does not request external credentials or network access — but it omits a required CLI dependency (jq) and assumes the agent can run shell scripts, so a few implementation details are inconsistent.
- Guidance
- This skill appears to be a straightforward local income tracker that stores data under ~/.daily-income-logger and does not phone home. Before installing/using: 1) Be aware the agent will need permission to run shell commands and write to your home directory; limit those permissions if you are cautious. 2) Install and verify jq on the host (the scripts use jq but the skill doesn't declare it). 3) Confirm you are comfortable storing financial data locally in ~/.daily-income-logger (consider filesystem permissions or encrypting backups). 4) If you plan to run on macOS, test the date commands (BSD date differs from GNU date). 5) If you want stricter guarantees, inspect and run the provided scripts in a sandbox or manually rather than allowing autonomous agent execution.
- Findings
[NO_MATCHES] expected: Regex scanner found no matches. This is expected because the skill is instruction-only (SKILL.md + package.json) and contains no executable code files for static rules to scan. Treat the SKILL.md as the primary artifact for review.
Review Dimensions
- Purpose & Capability
- okName/description (local income tracking, reports, exports) match the actual behavior: the SKILL.md provides bash scripts that read/write local JSON under ~/.daily-income-logger and produce reports. Nothing in the scripts attempts to access unrelated services or credentials.
- Instruction Scope
- noteInstructions are narrowly scoped to creating/reading/writing files in $HOME/.daily-income-logger and producing CSV/JSON outputs; they do not perform network calls or try to read unrelated system files. Note: the runtime instructions are shell scripts that the agent would need to execute; they therefore require the agent to have permission to run shell commands and write to the user's home directory.
- Install Mechanism
- okNo install spec or downloads — instruction-only skill. Nothing is written to disk by a packaged installer beyond the scripts the agent runs at runtime.
- Credentials
- concernThe skill declares no required binaries, but the scripts call jq (and rely on standard POSIX utilities and GNU date semantics). This is a mismatch: jq should be listed as a required binary. The scripts also require filesystem write access to the user's home directory (explicitly documented in SKILL.md), which is proportionate for a local logger but worth noting for privacy.
- Persistence & Privilege
- okalways:false (default) and no credentials requested. The skill stores its own data under ~/.daily-income-logger only and does not modify other skills or system-wide agent configuration.