Simplify Budget Expense Tracker
v1.1.6Log, find, update, and delete expenses and income in the Simplify Budget Google Sheet, and answer read-only recurring schedule questions. NEVER use sessions_...
⭐ 1· 159·0 current·0 all-time
bySerdar Salim@serdarsalim
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description require Google Sheets access and currency config; the package asks for GOOGLE_SA_FILE, SPREADSHEET_ID and TRACKER_CURRENCY and depends on curl/jq/python3/openssl — these are expected for a script-based Sheets integration. The presence of many shell scripts is consistent with the declared behaviour.
Instruction Scope
SKILL.md insists the agent always run the bundled scripts and treat script output as the sole source of truth; that is consistent with a script-first design. Small inconsistency to note: the SKILL.md warns 'DO NOT call get_categories.sh' for the agent, but the dispatcher (exec.sh) calls a bundled get_categories.sh internally to build a cached category list — this appears to be an instruction-level restriction for the agent, not missing functionality. The instructions also force the agent to execute arbitrary bundled shell scripts via the exec tool — expected for this skill but worth awareness because it grants the agent scripted shell behavior scoped to the skill directory.
Install Mechanism
No external install/downloads are declared (instruction-only with bundled scripts). All code is included in the package; no fetch-from-URL or third-party package install was specified in the repo metadata, which reduces supply-chain risk.
Credentials
Required environment variables (GOOGLE_SA_FILE, SPREADSHEET_ID, TRACKER_CURRENCY) are proportional to a Sheets-based tracker. Two operational concerns: exec.sh defines sensible defaults (OPENCLAW_HOME/sa.json and a hardcoded SPREADSHEET_ID) — if users leave env vars unset those defaults could cause the skill to target a default spreadsheet or default SA path. Make sure to explicitly set GOOGLE_SA_FILE and SPREADSHEET_ID and use a dedicated service account with minimal permissions.
Persistence & Privilege
The skill is not marked always:true, does not request system-global privileges, and writes its own cache under OPENCLAW_HOME/cache/simplify-budget only. Scripts update the Google Sheet (intended behavior) but do not appear to try to modify other skills or global agent settings.
Assessment
This package appears to be what it says: a script-first Google Sheets budget tracker. Before installing: 1) Explicitly set GOOGLE_SA_FILE and SPREADSHEET_ID (do not rely on the packaged defaults) and give the service account only the minimal editor access needed to your own copy of the template. 2) Inspect scripts that create network traffic (get_token.sh and expense_lib.sh / any file that uses curl) to confirm they only call Google APIs (sheets.googleapis.com / oauth2.googleapis.com) and no unexpected external endpoints. 3) Run the skill in a test environment or with a copy of the spreadsheet to verify writes behave as expected. 4) If you plan to allow autonomous agent invocation, be comfortable that the agent is permitted to execute the bundled shell scripts (this is required for the skill to function). If you want a higher-assurance decision, provide the missing script contents (the scanner truncated several files) for a full review — that could raise confidence to high.Like a lobster shell, security has layers — review code before you run it.
latestvk977nxajfz7y14rnw236n5z65x84h4z1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💸 Clawdis
Binscurl, jq, python3, openssl
EnvGOOGLE_SA_FILE, SPREADSHEET_ID, TRACKER_CURRENCY
Primary envGOOGLE_SA_FILE