ledger cn
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental ledger name using an absolute path or '../' could create or modify a ledger.db file outside the intended OpenClaw ledger-data folder.
The user-controlled ledger_name is joined into a filesystem path with no normalization or containment check, despite the skill claiming ledger data is scoped to the ledger data directory.
ledger_dir = os.path.join(base_path, ledger_name); os.makedirs(ledger_dir, exist_ok=True); return os.path.join(ledger_dir, "ledger.db")
Reject absolute paths and path separators in ledger names, resolve the final path, and verify it remains under ~/.openclaw/skills_data/ledger before creating or opening files.
Income, expense, account, and description details can remain on disk and be reused in later ledger queries.
The skill persistently stores and reuses personal finance records from a local ledger directory.
根路径:`~/.openclaw/skills_data/ledger/<账本名>/` ... 每次查询账本时,必须从账本目录读取最新数据
Treat the ledger directory as sensitive, avoid storing overly private notes, and consider backups, access controls, or encryption if needed.
If the sync/upload feature is used, financial files may leave the local machine and become accessible according to the chosen Feishu/cloud permissions.
The skill advertises user-directed export/upload/sync of financial outputs to Feishu/cloud storage, but the provided artifacts do not define the exact destination, account scope, or sync implementation.
导出 CSV / 同步到飞书云盘 / 上传文件
Before any upload or sync, confirm the exact file, destination folder, account, and sharing permissions; do not allow automatic uploads without review.
The documented commands may fail, use undeclared local dependencies, or point at an unexpected local install path if the package is installed differently.
The declared package metadata is incomplete or inconsistent with SKILL.md, which names the skill/version differently and documents commands using uv, sqlite3, and a hard-coded ~/.openclaw/skills/ledger path.
Slug: ledger-by-cn; Version: 1.0.1; Required binaries: none; No install spec — this is an instruction-only skill.
Verify the installed path and runtime dependencies before use, and update metadata/install instructions so the invoked files and required binaries are explicit.