Plutus Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts are coherent for a paid local expense-analysis skill, but users should notice the sensitive financial inputs and the unpinned Python package install.
This looks purpose-aligned for local finance reporting, but install it carefully: prefer a virtual environment, keep the license key private, and provide only the transaction data needed. Because the provided SKILL.md excerpt is truncated, review the full skill text before running it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this dependency could affect the user's Python environment and carries normal third-party package supply-chain risk.
The skill asks the user to install an unpinned PyPI dependency and to use --break-system-packages, which can modify the local Python environment. This is disclosed and purpose-aligned for Rich-based terminal output, but it is worth noticing.
pip3 install rich --break-system-packages --quiet
Install in a virtual environment when possible, pin the package version, and avoid --break-system-packages unless the user understands the local impact.
A license key exposed in logs, prompts, or shared environments could be reused by others.
The skill requires a license key and the visible code checks its SHA-256 hash locally. This is expected for a paid skill and does not show network transmission, but the key should still be treated as a credential.
requires: env: [LICENSE_KEY] ... LICENSE_KEY = os.environ.get("LICENSE_KEY", "").strip() ... sha256Set the license key only in a local environment variable and avoid pasting it into shared chats, logs, or reports.
Personal spending history, budget details, savings goals, and tax-category information may be exposed to whoever can view the agent session or outputs.
The skill is designed to ingest detailed financial transaction data. That is directly aligned with expense analysis, but the data may be sensitive and may appear in the agent's working context or generated reports.
EXPENSES_FILE ... "Path to a CSV of transactions (date, description, amount)"; EXPENSES_TEXT ... "Raw expense text, one per line"
Use a scoped export containing only the transactions needed for the report, remove unrelated personal details, and avoid sharing generated reports publicly.