ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawReceipt

v1.0.0

Use this skill to extract receipt information, record expenses, track budgets, and manage financial receipts using the ClawReceipt CLI.

0· 304·0 current·0 all-time
bySakurako@sakurako-irs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided code and SKILL.md. The CLI implements add, list, budget, alert, and a TUI; storage is a local SQLite DB under data/receipts.db. No unrelated cloud credentials, system-level access, or external endpoints are requested. README mentions an OpenClaw CLI integration but that is optional context rather than a required credential.
Instruction Scope
SKILL.md instructs the agent to extract receipt fields (via agent OCR/vision) and run local python commands (python run.py ...). It explicitly warns not to run the blocking TUI as an agent. The instructions do not ask the agent to read unrelated files or secrets. Note: SKILL.md expects the agent to perform OCR/vision externally (agent side) — the included code does not itself perform OCR, only accepts manual/extracted fields.
Install Mechanism
There is no install spec in the registry entry; the package is distributed with source files and a requirements.txt. No remote downloads or extraction from arbitrary URLs are present. Requirements include common PyPI packages (textual, rich, pandas, openpyxl, etc.). A few packages in requirements.txt (pydantic, python-dotenv, pillow) are not used by the code — unnecessary but not inherently malicious.
Credentials
The skill declares no required environment variables, no primary credential, and no external config paths. The code only reads/writes a local SQLite DB and can export CSV/Excel files. No secrets or unrelated credentials are requested.
Persistence & Privilege
The skill will create a data/ directory and receipts.db in the repository/runtime working directory and write export files (receipts_export.csv, receipts_export.xlsx). It does not request always: true or modify other skills' configs. Consider that it writes files to disk and those files could be read or uploaded by other tools or agents if present.
Assessment
This skill appears internally consistent with its stated purpose and has no network callbacks or secret-exfiltration code. Before installing/using it: (1) run it in a contained environment (venv or sandbox) and inspect files it creates (data/receipts.db, exported CSV/XLSX), (2) only install its pip requirements from PyPI in a trusted environment, (3) be aware the agent (or other tools) may need to perform OCR/vision externally — the skill itself expects extracted fields, and (4) if you are concerned about sensitive financial data, keep the repository and data directory in a location with appropriate access controls. If you want higher assurance, you can run the code locally and review the database file contents to confirm behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avvgemqf70sj046dr0cb7fn825vbc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments