Back to skill
Skillv1.0.0
ClawScan security
Arc Budget Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 6:52 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose (local budget tracking), it only reads/writes a JSON file in the user's home directory and requires python3 — no unexplained network access or secrets requested.
- Guidance
- This skill appears to do exactly what it says: a local Python CLI that logs transactions to ~/.openclaw/budget-tracker/budget.json and prints alerts. It does not request credentials or network access. Before installing, consider: (1) review the included script (it is bundled and will run with python3) and confirm you are comfortable executing bundled Python code; (2) if you run agents that can actually spend money, understand this tool only logs and blocks in-script checks — it cannot stop external payments on its own; (3) if the budget file will contain sensitive notes, consider setting --data-dir to a secured location or using filesystem encryption; (4) if you run the agent in a multi-user environment, be aware the default data path is in your home directory and could be read by other local users with access. Overall, the skill is internally consistent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (budget tracking, alerts, limits) align with the included Python script and the CLI commands; required binary (python3) is appropriate and nothing else (no cloud creds or unrelated binaries).
- Instruction Scope
- okSKILL.md instructs running the local script with explicit commands and documents the data file location. There are no instructions to read unrelated system files, environment variables, or to transmit data externally.
- Install Mechanism
- okNo install spec / no downloads. The skill is instruction-only with an included Python script (bundled code executed locally); this is a low-risk install model.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script stores data under ~/.openclaw/budget-tracker (configurable) which matches the skill's purpose.
- Persistence & Privilege
- okalways flag is false; the skill is user-invocable and may be called autonomously (platform default) but it does not request elevated privileges, modify other skills, or change system-wide settings.