ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Income Tracker

v1.0.0

收入追踪器 - 多平台收入记录、统计分析、趋势图表。适用于自由职业者、创作者、副业者。

0· 82·1 current·1 all-time
by@onlyloveher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements local income recording, statistics, and simple ASCII charts which match the stated purpose. However SKILL.md mentions '实时接口' (real-time exchange rates) and optional '云同步' (cloud sync) while the provided code uses a hard-coded EXCHANGE_RATES table and contains no obvious network/cloud sync calls — documentation overstates implemented capabilities.
Instruction Scope
Runtime instructions and config focus on local JSON storage (DATA_PATH) and standard actions (add, stats, chart, analyze, export). The SKILL.md does not instruct reading unrelated system files or exfiltrating data. Code reads/writes only the configured data path under the user's HOME.
!
Install Mechanism
There is no explicit install spec, but package.json/package-lock.json are included. package-lock.json pins dependency tarballs to mirrors.tencentyun.com using plain HTTP URLs, which is an unexpected and insecure download source and raises supply-chain/MITM risk if npm follows the resolved URLs during install.
Credentials
The skill declares no required credentials or sensitive env vars. It uses HOME and an optional DATA_PATH env var for local storage — access is proportional to purpose. No unrelated secrets or config paths are requested.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system configuration. It persists only its own data file under the configured DATA_PATH, which is expected for this functionality.
What to consider before installing
This skill appears to implement local income tracking and analytics as described, but exercise caution before installing or running it: - The package-lock.json references non-standard HTTP mirror URLs (mirrors.tencentyun.com). If you run npm install, these URLs could be used to fetch packages over an insecure channel — consider editing package-lock.json or reinstalling dependencies from the official registry (registry.npmjs.org) and ensure HTTPS is used. - SKILL.md mentions real-time exchange-rate APIs and cloud sync, but the shipped code uses a local EXCHANGE_RATES object and contains no obvious sync/network code; expect functionality to be local unless you audit or extend the code. - The skill stores data under your HOME by default. Set DATA_PATH to a directory you control, back up data before use, and consider encrypting sensitive entries as the docs suggest. - If you plan to run this skill in a privileged environment, run it first in a sandbox or review the remainder of index.js (some of the file was truncated in the bundle) to confirm there are no unexpected network calls or file accesses. If these issues concern you, ask the publisher for a clean lockfile (with HTTPS official registry URLs) and for clarification about the advertised cloud and exchange-rate features before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976a9gwccw7fj40n5ak3tf40x83awfg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments