Expense Tracker v2
Track expenses and income with multi-backend storage (local/Notion/Google Sheet/Supabase). Credentials are encrypted with AES-256-GCM. Use when user wants to...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 214 · 0 current installs · 0 all-time installs
bycodeblackhole@codeblackhole1024
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe multi-backend expense tracking. The JS script implements local, Notion, and Supabase backends and prompts for the expected credentials. There are no unrelated environment variables, binaries, or surprising permissions requested in metadata.
Instruction Scope
SKILL.md and the script instruct the agent/CLI to store encrypted config under ~/.openclaw/expense-tracker/config.enc and store data in ~/expenses.json (or user-specified path). That is within scope. The runtime instructions and code interact with Notion and Supabase endpoints using user-supplied keys only. However the SKILL.md + code prompt for interactive passwords and may behave incorrectly due to coding bugs (non-blocking password prompt path, incorrect readline usage), which could lead to unexpected fallback to local storage or saved config not being used. No evidence of exfiltration to third-party endpoints beyond the declared backends.
Install Mechanism
This is instruction-only with a shipped script; there is no install spec that downloads remote archives or runs arbitrary installers. That minimizes install-time risk. The script will be written to disk only if the user installs it locally; no package-manager installs or external URLs are used by the skill itself.
Credentials
The skill requests no environment variables and only asks the user for the service credentials required for the claimed backends (Notion API key + DB ID, Supabase URL + key, Google Sheets credentials path). These requests are proportionate to the described capabilities. The credentials are stored under the skill's own config directory rather than in system-wide configuration, which is expected.
Persistence & Privilege
The skill is not forced-always and does not request elevated platform privileges. It writes configuration and data files into the user's home directory (~/.openclaw/expense-tracker and ~/expenses.json), which is appropriate for a CLI app. It does not appear to modify other skills or system-wide agent settings.
What to consider before installing
What to check before you install or run this skill:
- Review the full script contents (the provided file listing was truncated); ensure the rest of the code contains only the expected CLI parsing and no hidden network endpoints or telemetry. If you can, open the complete scripts/expense-tracker.js.
- Do not paste real API keys or master passwords until you validate the code. Instead, test with throwaway/test credentials or in a sandboxed account.
- The script saves encrypted credentials to ~/.openclaw/expense-tracker/config.enc and stores records in ~/expenses.json by default — back up any existing files and be comfortable with those file locations.
- The crypto choices are reasonable (AES-256-GCM, PBKDF2 with 100k iterations), but the implementation has bugs: there are incorrect readline/question usages and a likely bug in decrypt (concatenation of Buffer and string), which can break decryption and risk losing access to stored credentials/data. Expect to test and possibly fix the code before relying on it.
- The script calls network APIs only for Notion and Supabase using the keys you provide; verify there are no other unexpected domains in the remainder of the file.
- Ensure you run under a supported Node runtime (script uses fetch and assumes Node global fetch; Node 18+ recommended) and consider running it inside a container or throwaway environment first.
If you want, I can: (1) fetch and analyze the rest of the truncated file (if you provide it), (2) point out exact lines that need fixing for the password prompts and decryption, or (3) produce a safer drop-in replacement for the buggy functions.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.1.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Expense Tracker Skill
Quick Start
Initial Setup (First Time)
expense-tracker setup
This will:
- Ask you to set a master password (for encrypting credentials)
- Select storage backend and configure API keys
Storage backends:
- Local file - No config needed
- Notion - Requires API Key + Database ID
- Google Sheet - Requires credentials path + Spreadsheet ID
- Supabase - Requires URL + Anon Key
Set Password (For Subsequent Uses)
expense-tracker pass <your-password>
Or enter interactively when prompted.
Record Expense
expense-tracker add -50 "lunch" food
# Format: expense-tracker add <amount> <note> <category>
# Negative amount = expense
Record Income
expense-tracker add 5000 "salary" salary
# Positive amount = income
View Records
expense-tracker list # Recent 10 records
expense-tracker list --month # This month
expense-tracker list --category # By category
Statistics
expense-tracker stats # This month
expense-tracker stats -m 2 # 2 months ago
Security
Credentials are encrypted using AES-256-GCM with PBKDF2 key derivation.
- Config file:
~/.openclaw/expense-tracker/config.enc - Never stores plain text passwords or API keys
Categories
food- Food & Diningtransport- Transportationshopping- Shoppingentertainment- Entertainmentsalary- Salarybonus- Bonusinvestment- Investmentother- Other
Commands Reference
| Command | Description |
|---|---|
setup | Set password & configure backend (first time) |
pass <password> | Set password for decryption |
add <amount> <note> <category> | Add new record |
list | View recent records |
list --month | This month's records |
list --category | Group by category |
stats | Monthly summary |
stats -m <n> | N months ago |
Data Format
Each record:
{
"id": "uuid",
"type": "expense|income",
"amount": -50,
"category": "food",
"note": "lunch",
"date": "2026-03-03",
"created_at": "2026-03-03T20:23:00Z"
}
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…