ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Recite

v1.0.1

AI-powered receipt scanning that renames files by date/vendor, extracts transaction details, and logs them in a dynamic bookkeeping CSV.

0· 533·0 current·0 all-time
by@rivradev
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements receipt scanning, renaming, and CSV bookkeeping consistent with the skill description. However, the registry metadata declares no required environment variables while the SKILL.md and the script both require a RECITE_API_KEY (or ~/.config/recite/config.json). That missing declaration is an incoherence that could mislead users and automated gating systems.
!
Instruction Scope
SKILL.md promises the agent will always read the skill's long_term_memory.md and that the agent will 'skip saving' rows when previously-present CSV fields are missing. The script defines a read_ltm() helper but never calls it, so LTM is not actually used. Also, the CSV logic does not 'skip' rows when fields are missing — it writes blanks or expands headers — so the documentation overstates behavior.
Install Mechanism
No install spec or remote downloads; the skill is instruction + a local Python script. That keeps installation risk low (nothing arbitrary is fetched or executed at install time).
!
Credentials
The script requires a Recite API key (RECITE_API_KEY or ~/.config/recite/config.json) but the registry metadata lists no required credentials. Additionally, the skill sends entire receipt files (base64-encoded) to https://recite.rivra.dev/apiV1/api/v1/scan — a potentially sensitive external endpoint. Requesting an API key for the service you integrate with is expected, but the missing registry declaration and external exfiltration of full images are proportionality/privacy concerns users must be aware of.
Persistence & Privilege
The skill does not request elevated platform privileges or permanent inclusion (always:false). It modifies files in the user-specified target folder (renaming and appending a CSV), which is coherent with its stated purpose. Autonomous invocation is allowed (platform default) but not by itself a new risk here.
What to consider before installing
Before installing or running this skill: (1) Understand that receipts (full images/PDFs) are uploaded to a third-party endpoint (recite.rivra.dev). Only proceed if you trust that service and its privacy/security practices. (2) The registry metadata does not list the required RECITE_API_KEY even though both SKILL.md and the script require it — treat the key as mandatory. (3) The SKILL.md promises behavior (reading long_term_memory.md and skipping rows when fields disappear) that the script does not implement; expect the script to write blanks or add new columns rather than skipping entries. (4) Back up your receipt folder before a run (files will be renamed) and test on a small set first. (5) If you need stronger privacy guarantees, request or implement an offline/local OCR alternative instead of sending images to an external API. (6) If you plan to use this skill in production, ask the author for corrected registry metadata, documentation that matches the code, and a privacy/security statement for the recite.rivra.dev endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ehr5c59r094qmmhnbxn73e981nqrt
533downloads
0stars
2versions
Updated 21h ago
v1.0.1
MIT-0
@rivradev
latest
Download

name: recite description: AI receipt scanner & bookkeeping automation. Process receipts, invoices, and PDFs. Extracts data to rename files and log transactions/expenses to CSV. Perfect for tax & accounting.

Recite 🦞🤵

AI-driven receipt bookkeeping via the Recite Vision API. Use recite-process to scan a directory of receipts and PDF files, rename them based on extracted data, and log transactions to a CSV file.

Setup & Configuration

1. API Key

You can generate your Recite API key at: https://recite.rivra.dev/settings/api.

Set the API key in your environment or configuration file:

  • Environment: export RECITE_API_KEY="re_live_YOUR_API_KEY"
  • Config: Create ~/.config/recite/config.json with {"api_key": "re_live_..."}.

2. Dependencies

Ensure you have python3, requests, and csv installed.

Operational Rules

1. Mandatory API Key Pre-check

Before performing any scanning, file manipulation, or bookkeeping tasks, the agent MUST verify if a valid Recite API key is available (via RECITE_API_KEY environment variable or ~/.config/recite/config.json).

  • If missing: Immediately stop all other operations and instruct the user to obtain an API key from https://recite.rivra.dev/settings/api and provide it. Do not attempt to list files or proceed with any part of the workflow until the key is confirmed.

3. Schema-Aware Bookkeeping

The agent is designed to handle API response changes gracefully:

  • Dynamic Schema Evolution: If the Recite API adds new information (new JSON fields), the agent will automatically add corresponding columns to your bookkeeping_transactions.CSV without losing existing data.
  • Data Integrity Protection: If a field that was previously present in the CSV is missing from the current API response, the agent will skip saving that specific entry and warn the user, preventing data corruption or "shifted" columns.

Workflow & Features

  1. Scan Folder: The agent scans the specified folder for images (.jpg, .jpeg, .png) and .pdf files.
  2. AI Extraction: Calls the Recite API to extract date, vendor, total, currency, and category.
  3. Smart Renaming: Renames the file to [date]_[vendor].[ext] (e.g., 2024-05-20_Starbucks.jpg).
  4. Bookkeeping Log: Appends the extracted data (Date, Vendor, Total, Currency, Category, Subtotal, Tax, Tip, Fees, Discounts, Description, Payment Method, Confidence, etc.) and filenames to bookkeeping_transactions.CSV in the target folder.
  5. Status Report: Provides a summary of processed files and the CSV location.

Long-Term Memory & Custom Logic

Modify skills/recite/long_term_memory.md to add persistent instructions for the agent. The agent will always read this file before processing.

Examples:

  • "After processing, move all files to a sub-folder named processed/."
  • "Alert me if any single receipt is over $500."
  • "Always categorize 'Amazon' as 'Software Services'."

Tool Usage

  • Command: python3 skills/recite/process_receipts.py <target_directory> skills/recite/
  • Arguments:
    • <target_directory>: The folder containing your receipts.
    • skills/recite/: The path to the skill folder (used to locate long_term_memory.md).

Strategic Moat

  • Agent-First Consistency: Guaranteed structured JSON output for financial data.
  • Tax-Ready Logic: Intelligent categorization based on standard business practices.
  • Seamless Integration: Built for the AI Agent economy (OpenClaw, Claude Code).

Comments

Loading comments...