Expense Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned and local-only, but it does run local scripts and stores personal spending records on disk.
This looks safe to use if you are comfortable storing spending records locally in the skill folder. Before installing, make sure jq and bc are available, review budget defaults, and periodically back up or protect expenses/ledger.json.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misinterpreted user message could add or update the wrong expense or budget entry.
The skill tells the agent to convert user spending statements into local shell-script calls that append expense records. This is central to the skill, but it is still local mutation based on parsed natural language.
bash skills/expense-tracker/scripts/add-expense.sh <amount> "<category>" "<vendor>" "<date>" "<notes>"
Review the agent's confirmations, especially for ambiguous vendors, refunds, deletions, and budget changes.
The skill may not work until jq and bc are installed, despite the registry saying no binaries are required.
The README documents required local tools, while the registry metadata declares no required binaries. This could cause installation or runtime surprises, although the dependencies are purpose-aligned and disclosed in the README.
- **jq** — JSON processor. Install with `brew install jq` (macOS) or `apt install jq` (Linux) - **bc** — calculator
Confirm jq and bc are installed before using the skill, and treat the README requirements as the authoritative setup guidance.
Anyone with access to the skill folder could read the user's expense history.
The skill persistently stores personal spending history in a local JSON ledger. This is expected for an expense tracker, but the contents are sensitive financial records that may be reused in future reports and queries.
Your data lives in `expenses/ledger.json` as plain JSON.
Keep the skill directory private, avoid sharing ledger files unintentionally, and back up or delete the ledger according to your privacy needs.