Income Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a coherent local income tracker, with noteworthy but disclosed handling of personal financial records.
This looks safe to use as a local income tracker if you are comfortable storing income records on disk. Choose the data path carefully, protect or encrypt the file if it contains sensitive financial details, and do not rely on the built-in currency conversion for exact accounting.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the data file or exported output could see income amounts, sources, notes, and tags.
The skill stores and exports income records, which are sensitive personal financial data. This is purpose-aligned and disclosed, but users should understand the data is local JSON and may need encryption.
收入数据以 JSON 格式本地存储,支持: - 自动备份 - 数据导出(CSV/JSON) ... 4. 敏感数据请加密存储
Store the data file in a private location, avoid putting highly sensitive notes in records, and use filesystem or disk encryption if the income data is sensitive.
Misconfiguration could place income data somewhere unexpected or replace a file at the configured path.
The skill creates directories and writes the income database to a configurable path. This is expected for the tracker, but a bad DATA_PATH could overwrite an unintended user-writable file.
const dataPath = process.env.DATA_PATH || DEFAULT_DATA_PATH;
...
fs.mkdirSync(dir, { recursive: true });
fs.writeFileSync(dataPath, JSON.stringify(data, null, 2));Use the default path or set DATA_PATH only to a dedicated income-tracker JSON file that you control.
Dependency installation depends on the package manager honoring the lockfile and integrity checks.
The lockfile pins dependencies with integrity hashes, but dependency URLs use an HTTP mirror. This is a minor supply-chain provenance note rather than evidence of malicious behavior.
"resolved": "http://mirrors.tencentyun.com/npm/dayjs/-/dayjs-1.11.20.tgz", "integrity": "sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ=="
Install using the provided lockfile through a trusted package manager or registry configuration, and avoid bypassing integrity checks.
Income totals converted between currencies may be inaccurate if exchange rates have changed.
The provided code uses fixed exchange rates, while the documentation says exchange rates use a real-time interface. Users should not over-trust currency conversion accuracy.
// 汇率缓存(简化版,实际应使用 API)
const EXCHANGE_RATES = {
USD: { CNY: 7.24, USDT: 1 },Verify converted totals manually for accounting or tax purposes, and treat the built-in currency conversion as approximate unless a real exchange-rate source is added.