Auto Accounting

What to check before installing: - Source trust: the repo/homepage is listed but source is 'unknown' in the registry metadata — verify the upstream GitHub repository and author identity. - Environment variables: although metadata lists none, the code checks XIAOYI_CLAW_ENV, OPENCLAW_RUNTIME, XIAOYI_API_KEY and TARGET_APP_PACKAGE. Confirm you are comfortable providing those values and that no sensitive keys (e.g., XIAOYI_API_KEY) will be exposed or overly permissive. - File writes: several modules can read/write history and preferences if given paths. If you want no local persistence, verify how preferences/history paths are set before running. - Network activity: package.json includes 'requests' and CODE_PROTECTION.md contains example server-side calls — audit the code paths to ensure images or parsed data are not sent to external servers you don't control. - False claims in audits: SECURITY_AUDIT.md asserts 'no file I/O' and 'no network'; that contradicts actual code. Treat built-in audit files as authored by the skill author and verify with your own review or sandboxed testing. - Exclusive/legal restrictions: the skill forbids modification and enforces single-app use; these are contractual/legal constraints but not technical guarantees. If you require an auditable or modifiable tool, this skill may not fit. Recommendations: review the repository code (search for os.environ access, open/write calls, and any requests.post/get calls), run the skill in a sandboxed Android test environment first, and only provide minimal environment variables (and non-sensitive test API keys) until you confirm behavior. If anything is unclear, contact the author or prefer a skill whose declared requirements match its runtime behavior.