Finance Tracker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: finance-tracker Version: 2.0.0 The OpenClaw skill 'finance-tracker' is a personal finance management tool. Its `SKILL.md` provides clear instructions for users to interact with the `finance` CLI, without any prompt injection attempts against the agent. The Python code in `bin/finance.py` and `lib/*.py` primarily handles local file I/O within the `~/.finance-tracker/` directory for data storage (`transactions.json`, `FINANCE_LOG.md`, etc.). The only network activity observed is in `lib/currency.py`, which fetches exchange rates from hardcoded, legitimate APIs (`open.er-api.com`, `api.exchangerate.host`) using `urllib.request.urlopen`. This network access is directly aligned with the stated multi-currency feature and does not show any signs of data exfiltration or malicious intent. No other high-risk behaviors like arbitrary command execution, persistence mechanisms, or obfuscation were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Expense descriptions, amounts, categories, and dates may remain on disk in readable local files.
The tracker persists personal finance records in local JSON and Markdown files, which is expected for this skill but sensitive.
data_dir = Path.home() / ".finance-tracker" ... self.json_file = self.data_dir / "transactions.json" ... self.md_file = self.data_dir / "FINANCE_LOG.md"
Install only if you are comfortable storing finance records locally; avoid putting secrets in descriptions and review or delete ~/.finance-tracker when needed.
A mistaken or overly broad command could remove or alter the tracker’s local transaction or asset records.
The documented CLI can mutate and delete local finance-tracker records. This is disclosed and purpose-aligned, but it is still a meaningful data-changing capability.
finance undo ... finance edit <id> --amount=60000 ... finance delete <id> ... finance asset remove "Old Account"
Ask the agent to confirm before running delete, undo, edit, asset remove, or bulk recurring-processing commands.
Users have less registry-level provenance information to verify the publisher and installation details.
The registry provenance and install metadata are sparse for a skill that includes executable code, even though the provided code and docs appear coherent.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence: 12 code file(s)
Review the bundled files and package metadata before installing, and prefer a verified source or repository when available.
Currency-rate features may contact an external rate provider and maintain a local cache.
The skill discloses live exchange-rate use and caching. That is purpose-aligned, but the provider and exact network/data boundaries are not described in the instructions.
Automatic currency conversion with live exchange rates ... Rate caching: Rates refresh every 6 hours automatically.
Use the currency features only if you are comfortable with external exchange-rate lookups; avoid including unnecessary personal details in conversion commands.