Skillv1.0.0

ClawScan security

Jarvis Debt Repayment Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a simple local income/debt tracker, but minor inconsistencies (a package.json that references missing scripts, an unknown source/homepage, and vague expansion notes about connecting bank/payment APIs) mean you should inspect it before trusting it with real data or credentials.
Guidance: This skill appears to be a local, instruction-only income/debt tracker and does not request credentials or install code — that is good. Before installing or using it with real financial data: 1) Verify the author/source (homepage is example.com and owner is unknown). 2) Inspect the repository for the missing scripts referenced in package.json (scripts/record.js, report.js, debt.js); if they are absent, ask the publisher why or avoid executing unknown scripts. 3) Do not provide bank/payment API keys or other secrets unless you confirm the exact code that will use them. 4) Run it in a sandbox or test workspace first so it only writes local markdown files you control. 5) If the skill is later extended to import bank statements or connect payment APIs, require explicit review of that implementation and of any network endpoints it communicates with.

Review Dimensions

Purpose & Capability: noteThe skill describes a local income/debt tracker and its SKILL.md only references creating/reading markdown logs and generating reports — that matches the stated purpose. However, package.json lists node scripts (scripts/record.js, scripts/report.js, scripts/debt.js) even though no code files are present; this mismatch suggests either missing files or inaccurate metadata.
Instruction Scope: okRuntime instructions are scoped to recording income/expense/debt in local markdown files and generating reports. There are no instructions that ask the agent to read unrelated system files or exfiltrate data. The SKILL.md does mention optional future features (import bank statements, connect payment APIs) but does not instruct how to do that now.
Install Mechanism: okNo install spec is provided (instruction-only), so nothing will be written to disk by an installation step. This is low-risk from an installation perspective.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportionate for a local, file-based tracker. Be aware the README/SKILL.md mention potential integrations (bank/payment APIs) which would legitimately require credentials if implemented later.
Persistence & Privilege: okThe skill is not forced always-on and uses default invocation settings. It instructs the agent to write/read local markdown files (its own data storage), which is a normal level of persistence for this purpose.