ClawHub

Income Tracker

v1.0.1

收入追踪器 - 多平台收入记录、统计分析、趋势图表。适用于自由职业者、创作者、副业者。

0· 114·0 current·0 all-time
by@onlyloveher·duplicate of @onlyloveher/income-tracker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (income tracking, analytics, charts) align with the included code: local JSON storage, add/list/stats/chart/predict functions. The declared config DATA_PATH and use of HOME are appropriate for a local tracker. The skill does not ask for unrelated credentials or system access.
Instruction Scope
SKILL.md instructs local JSON storage, export/import and references cloud-sync and 'real-time exchange rate' as optional/notes, but the shipped index.js uses a built-in static EXCHANGE_RATES and contains no network/cloud sync code in the visible source. This is a minor inconsistency (features advertised vs implemented) but not an evidence of malicious behavior. The instructions do not direct the agent to read unrelated system files or exfiltrate data.
Install Mechanism
There is no install spec (instruction-only) but the package.json/package-lock are included and list normal dependencies (asciichart, chalk, dayjs). package-lock shows packages resolved from a Tencent npm mirror (mirrors.tencentyun.com) — not inherently malicious but is an implementation detail to be aware of if you plan to install dependencies locally. No downloads from arbitrary URLs or extract operations are present.
Credentials
The skill requires no secrets or external credentials. It reads DATA_PATH (config) and HOME to store files; those are proportional to its stated purpose. It does write to the user's filesystem (data file under ~/clawd by default), which is expected for a local tracker.
Persistence & Privilege
always:false and default autonomous invocation are normal. The skill persists only to its configured data file and does not attempt to modify other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but there are no other broad privileges requested.
Assessment
This skill appears to be a straightforward local income tracker. Before installing or running it: 1) Confirm the DATA_PATH (default ~/clawd/data/income-tracker.json) and move it if you prefer a different location; back up any existing file at that path. 2) If you store sensitive notes, consider encrypting the data file as the skill stores JSON in plaintext. 3) Note that SKILL.md mentions 'cloud sync' and 'real-time exchange rates' but the included code uses static exchange rates and contains no cloud sync — if you need those features, ask the author for implementation details. 4) If you install dependencies locally, verify the npm registry/mirror you use (package-lock references a Tencent mirror) and run in a sandbox if you have concerns. 5) Check the repository/homepage (https://clawhub.com/skills/income-tracker or the repo URL in package.json) for updates, issue tracker, and privacy/premium details before relying on it for production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qrt1z6s2x1ey5mwdp11v8x83abj0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments