Finance Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a coherent local finance-tracking tool with expected local record storage, editing, deletion, and currency-rate features, and no evidence of hidden exfiltration or deceptive behavior.
This appears safe for its stated purpose, but treat it like any finance app: know that it stores your expense, income, goal, and asset records locally, confirm before letting an agent edit/delete records or process recurring expenses, and be aware that live currency features may use external rate lookups.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Expense descriptions, amounts, categories, and dates may remain on disk in readable local files.
The tracker persists personal finance records in local JSON and Markdown files, which is expected for this skill but sensitive.
data_dir = Path.home() / ".finance-tracker" ... self.json_file = self.data_dir / "transactions.json" ... self.md_file = self.data_dir / "FINANCE_LOG.md"
Install only if you are comfortable storing finance records locally; avoid putting secrets in descriptions and review or delete ~/.finance-tracker when needed.
A mistaken or overly broad command could remove or alter the tracker’s local transaction or asset records.
The documented CLI can mutate and delete local finance-tracker records. This is disclosed and purpose-aligned, but it is still a meaningful data-changing capability.
finance undo ... finance edit <id> --amount=60000 ... finance delete <id> ... finance asset remove "Old Account"
Ask the agent to confirm before running delete, undo, edit, asset remove, or bulk recurring-processing commands.
Users have less registry-level provenance information to verify the publisher and installation details.
The registry provenance and install metadata are sparse for a skill that includes executable code, even though the provided code and docs appear coherent.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence: 12 code file(s)
Review the bundled files and package metadata before installing, and prefer a verified source or repository when available.
Currency-rate features may contact an external rate provider and maintain a local cache.
The skill discloses live exchange-rate use and caching. That is purpose-aligned, but the provider and exact network/data boundaries are not described in the instructions.
Automatic currency conversion with live exchange rates ... Rate caching: Rates refresh every 6 hours automatically.
Use the currency features only if you are comfortable with external exchange-rate lookups; avoid including unnecessary personal details in conversion commands.