Skillv1.1.0

ClawScan security

Receipt Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 9:43 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The SKILL.md describes a chat-driven receipt OCR that writes to a local CSV, but the included code contains a Nextcloud scanner with hard-coded credentials and network targets that are not mentioned in the documentation — this mismatch is concerning.
Guidance: Do not install or enable this skill until you validate its origin and the purpose of nc_worker.py. Specific actions to consider: - Ask the author why a Nextcloud scanner and hard-coded credentials are included; require removal of any embedded secrets and moving credentials to environment variables if remote access is truly needed. - If you only want chat-uploaded receipts saved to local CSV, remove nc_worker.py before use or inspect/replace it with audited code that only performs the documented steps. - Treat the embedded Nextcloud credentials as sensitive: rotate/change them if they are real and were used elsewhere. - If you accept remote-Nextcloud functionality, insist on secure configuration (no hardcoded passwords, explicit requires.env entries, host allowlist) and an explanation of what files/folders the skill will access. - Because the skill can run exec/python per SKILL.md, audit any runtime behavior and avoid granting it access to sensitive system areas. If you are unsure, do not enable autonomous invocation until you have reviewed/modified the code.
Findings: [hardcoded-credentials] unexpected: nc_worker.py contains plaintext credentials (USER = "receipts", PASS = "yu9cZvCVtctkhg3!"). The skill's documentation never mentions accessing Nextcloud or needing these credentials, so hardcoded secrets are unexpected and risky. [internal-network-endpoint] unexpected: nc_worker.py references a host http://fedora:8082/remote.php/dav and a Nextcloud folder path. This implies network access to internal services; the SKILL.md did not describe connecting to or scanning a Nextcloud instance.

Review Dimensions

Purpose & Capability: concernThe README/ SKILL.md describes handling user-uploaded receipt images via an OpenClaw subagent and saving results to a local CSV. However, the repository also contains nc_worker.py which implements (or intends to) a Nextcloud scanner: it points to an internal URL, a Nextcloud folder, and embeds a username/password. The SKILL.md does not mention any Nextcloud integration or the need for remote file access, so the code's presence and embedded credentials are not coherent with the stated purpose.
Instruction Scope: noteThe SKILL.md instructs the agent to spawn a subagent (sessions_spawn) using model 'gemini-2.5-flash', accept uploaded file paths, run OCR/analysis, and read/write the CSV at /opt/.openclaw/.../expenses.csv. Those instructions are generally in-scope for a receipt tracker, but they explicitly permit running exec/bash/python and reading/writing the agent workspace. That is expected for a local tracker but grants the skill the ability to run arbitrary local commands — a user should confirm this is acceptable.
Install Mechanism: okThere is no install spec (instruction-only skill plus a small helper script). This is the lowest install-risk category because nothing is automatically downloaded or installed during skill activation.
Credentials: concernThe skill declares no required environment variables, yet nc_worker.py contains hard-coded Nextcloud credentials (USER and PASS) and a network host (http://fedora:8082/remote.php/dav). Requesting or embedding network credentials that are unrelated to the SKILL.md workflow is disproportionate. If the Nextcloud integration is intended, credentials should be declared explicitly and provided securely (not embedded in code); if not, the file is extraneous and risky.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills' configs. It writes to a CSV in the agent workspace, which aligns with its stated behavior. Autonomous invocation is allowed (default) but not by itself a reason to block.