Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
accounting assistant
v1.0.3Bilingual expense tracking & bookkeeping skill — "Accounting Assistant / 记账助手". Triggers on any spending/expense message (花了/消费/spend/spent/¥/$/RMB/USD/CNY/买...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (bilingual expense tracking, reports, exports) aligns with included scripts (ledger.py, export.py, charts.py), the category reference, and the SKILL.md instructions. The files implement parsing, storage, charts, and exports which are all expected for an accounting assistant.
Instruction Scope
SKILL.md instructs the agent to read/write data under ~/.qclaw/workspace/expense-ledger, to load references/categories.md for classification, and to call the included scripts. Those actions are expected for this purpose, but the agent will execute code that reads and writes files in your home directory — the instructions do not request other system files or network endpoints.
Install Mechanism
No install spec (instruction-only) and all code is bundled with the skill, which reduces supply-chain risk. However charts.py imports subprocess (and the file is truncated in the listing) — that suggests it may call local external binaries to render PNGs. The skill does not declare any required binaries; this mismatch should be checked (the scripts may rely on system tools or Python-only libraries).
Credentials
The skill declares no environment variables or credentials and the code operates solely on local files under the user's home directory. There are no requests for unrelated secrets or external service tokens.
Persistence & Privilege
The skill writes persistent data to a dedicated directory (~/.qclaw/workspace/expense-ledger) and creates export/chart subfolders. always:false (normal). Writing persistent personal finance data is expected, but you should be aware the agent will create and modify files in your home directory.
What to consider before installing
This skill mostly does what it says (parsing messages, saving a ledger, exporting CSV/JSON, generating charts) and stores all data locally in ~/.qclaw/workspace/expense-ledger. Before installing or running it: 1) Review the full contents of scripts/charts.py (the listing shows subprocess is imported and the file was truncated) to confirm it does not call unexpected external binaries or network endpoints; 2) If you want to render charts, confirm which system tools (if any) the script invokes — the skill did not declare required binaries; install those yourself or run in an environment that has the needed tools; 3) Backup any existing data you care about (the skill will create/overwrite files in that path); 4) If you are concerned about safety, run the scripts in a sandbox or VM first and inspect runtime behavior (file writes, spawned processes, network activity); 5) Because the agent will execute bundled scripts, avoid granting this skill access to sensitive credentials elsewhere on your system and verify there are no hidden network calls in the truncated sections. If you want, provide the full, untruncated charts.py and the remainder of ledger.py so I can re-check for subprocess calls or outbound communications.Like a lobster shell, security has layers — review code before you run it.
latestvk97ap4kjy7cwerd27gts3w0x3983wrkq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.