Plutus — God of Wealth
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: plutus Version: 1.0.1 The 'plutus' skill is a legitimate financial utility designed to parse receipts and CSV transactions into categorized expense reports. The Python script in SKILL.md operates entirely locally, performing data aggregation and generating Markdown/CSV summaries without any network activity or unauthorized file access. While it contains a minor syntax bug in the filename generation logic (a comma instead of a dot in the date formatting), there is no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package could change the local Python environment, and the exact package version is not fixed.
The skill instructs installation of an unpinned PyPI package and uses a flag that bypasses system Python package protections. This is disclosed and related to report formatting, but it still carries normal package supply-chain and environment-modification risk.
pip3 install rich --break-system-packages --quiet
Install in a virtual environment when possible, consider pinning a known-good version of 'rich', and avoid '--break-system-packages' unless you understand the impact.
Private spending or business expense information may remain on disk after the skill runs.
The skill processes personal or business financial transactions and creates persistent local report files. This is purpose-aligned, and the artifact claims no data is transmitted, but the saved reports may contain sensitive financial summaries.
Paste raw text, a list, or point to a CSV of transactions... Export: Markdown report + CSV summary saved to disk
Use only trusted local files, review where the report is saved, and delete or protect generated reports if they contain sensitive financial data.