ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easyaccounts

v0.2.0

家庭财务管家 / Family finance manager. 通过自然语言对接 EasyAccounts 个人记账系统,支持记账、查账、批量记账、内部转账、流水修改、收支统计、年度分析、Excel 导出、系统公告查询等。Manage household accounts, expenses, income,...

0· 72·0 current·0 all-time
by@qingheyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and scripts: all scripts call the EasyAccounts HTTP API, use curl/jq, and implement adding/querying/updating flows, exports and system info. Required binaries (curl, jq) and the install of jq are appropriate for the described functionality.
Instruction Scope
SKILL.md and the scripts keep to the stated purpose: talk to the EasyAccounts API, perform login, and manage flows. The SKILL.md explicitly instructs the agent to use provided scripts (scripts live in the package) rather than crafting raw curl calls. Scripts only call the target EASYACCOUNTS_URL (with /api appended) and do not send data to external endpoints beyond that server.
Install Mechanism
Install spec only offers installing jq via brew/apt — a low-risk, typical dependency install. No downloads from arbitrary URLs or archive extraction are present.
!
Credentials
Registry metadata declares only EASYACCOUNTS_URL as required, but SKILL.md and the scripts also read/use EASYACCOUNTS_USERNAME and EASYACCOUNTS_PASSWORD for automatic login. Those optional credential env vars are not listed in requires.env. The primaryEnv is set to EASYACCOUNTS_URL (a URL, not a secret), which may be confusing. Requesting username/password (even optional) should be declared explicitly in metadata so users know the skill can access those secrets.
Persistence & Privilege
The skill saves an authentication token to ~/.config/easyaccounts/token (ea_save_token) and sets mode 600. This is expected for session reuse but is persistent on disk. The skill does not set always:true or modify other skills. Users should be aware of local token storage and the config directory created under the user's home.
What to consider before installing
This skill is generally consistent with its stated purpose (talking to a self‑hosted EasyAccounts API), but note two things before installing: 1) although the registry only lists EASYACCOUNTS_URL as required, the scripts will also read EASYACCOUNTS_USERNAME and EASYACCOUNTS_PASSWORD (optional) and will attempt to auto‑login with them — treat those as secrets and only provide them if you trust the target server; 2) the skill persists a token at ~/.config/easyaccounts/token (file created with chmod 600). Review the shipped scripts yourself (they are included) to confirm you are comfortable with the exact API paths and token handling, ensure EASYACCOUNTS_URL points to a server you control/trust, and store the env vars and token with appropriate file permissions. If you need metadata accuracy, ask the publisher to declare EASYACCOUNTS_USERNAME/EASYACCOUNTS_PASSWORD in the skill manifest.

Like a lobster shell, security has layers — review code before you run it.

accountingvk9742wwcqtdrehmy60yq6wxjjh84e77zbookkeepingvk9742wwcqtdrehmy60yq6wxjjh84e77zchinesevk9742wwcqtdrehmy60yq6wxjjh84e77zeasyaccountsvk9742wwcqtdrehmy60yq6wxjjh84e77zfinancevk9742wwcqtdrehmy60yq6wxjjh84e77zlatestvk9742wwcqtdrehmy60yq6wxjjh84e77z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvEASYACCOUNTS_URL
Primary envEASYACCOUNTS_URL

Install

安装 jq (brew)
Bins: jq
brew install jq

Comments