Card Benefits Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local credit-card-benefits tracker; it stores and can modify personal card-benefit data, but the provided artifacts do not show hidden network access, credential use, or exfiltration.
This skill looks reasonable for a local card-benefits tracker. Before installing, review or clear the prefilled card data, avoid storing full card numbers or login credentials, confirm destructive changes like deletes, and keep backups if you depend on the tracker.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with access to the skill files could see the tracked card portfolio and benefit history.
The skill stores a persistent credit-card portfolio with annual fees, membership dates, selected airline, benefits, and usage-related data. This is expected for the tracker, but it is personal financial-adjacent information.
"name": "American Express Platinum Card", "annual_fee": 695, "card_member_since": "2025-10", "airline_selected": "United Airlines"
Use this only if you are comfortable storing this information locally; avoid adding account numbers, passwords, or full card numbers, and remove any sample or irrelevant data before relying on it.
A mistaken or poorly reviewed command could remove card or benefit records from the local tracker, though it would not affect the actual bank or card issuer account.
The bundled CLI can modify and delete local tracker records. This is aligned with the stated card-management purpose, but deletion is a destructive local data action.
def cmd_cards_delete(args): ... data["cards"].pop(idx) ... write_cards(data)
Require clear user confirmation before delete or major update actions, and keep a backup of cards.json and data files if the tracker becomes important.
Users are relying on included local code from an unknown source, even though the install metadata does not prominently describe an executable component.
The skill is described as instruction-only but includes bundled Python scripts that perform the tracker operations. The code appears purpose-aligned, but provenance and runtime expectations are under-declared.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill; Code file presence: api/cli.py, generate_report.py
Review the bundled Python files before use and prefer metadata that explicitly declares the helper scripts and Python runtime expectation.