warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:45
- Finding
- Prompt-injection style instruction pattern detected.
Expense Report Pro
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If setup is run in a workspace that already has an expenses directory, existing financial records or custom rules could be overwritten.
Why it was flagged
The setup flow writes over expense-log.json and config.json, and copies categories.md, without checking whether those files already exist or asking for backup/confirmation.
Skill content
echo '[]' > expenses/expense-log.json ... cat << 'EOF' > expenses/config.json ... cp skills/expense-report-pro/config/default-categories.md expenses/categories.md
Recommendation
Back up any existing expenses directory first, and change setup to initialize files only when missing or after explicit user confirmation.
What this means
Users may send financial receipts or expense details under an overconfident privacy assumption, without checking how their chat, vision, model, or search providers handle the data.
Why it was flagged
The skill handles sensitive receipts but combines external chat/agent usage with very strong privacy and verification claims that the included artifacts do not substantiate.
Skill content
"100% private" ... "Text or DM your agent the receipt in Telegram, Discord, Slack, etc." ... "Everything stays on your machine" ... "Codex Security Verified"
Recommendation
Treat the privacy badge and local-only claims as unverified; confirm your OpenClaw deployment and any chat/vision/search providers before processing sensitive receipts.
What this means
Anyone with access to the workspace, backups, or synced files could read expense history and receipt images; local category/config files may also influence future categorization.
Why it was flagged
The skill persistently stores and reuses local financial records and receipt images, which is expected for expense tracking but sensitive.
Skill content
`expenses/expense-log.json` - The main database of all expenses. `expenses/receipts/` - Directory containing saved receipt images.
Recommendation
Keep the expenses directory private or encrypted, avoid storing full card numbers, and review local expense/config/category files before relying on reports.
What this means
Report generation may require installing external packages that are not declared in the registry requirements.
Why it was flagged
The package metadata says there is no install spec, but the PDF generation path depends on Playwright and a Chromium browser install.
Skill content
Dependencies: pip install playwright && playwright install chromium
Recommendation
Install Playwright/Chromium only from trusted sources and review dependency installation steps before running report generation.