expense-note
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local-only expense tracker with no exfiltration or hidden high-impact behavior, but it persists personal spending data in local JSON files.
This is reasonable for a simple local expense tracker. Before installing, understand that your spending records will be saved in local JSON/report files, clear any bundled sample data if you do not want it mixed into your records, and make sure Node.js is available if you plan to run the included script.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the device, backups, or exported report files may be able to read the user's spending history and notes.
The skill intentionally stores personal expense details persistently in a local JSON file.
每条开销记录包含: - 描述 (description) - 金额 (amount) - 分类 (category) - 日期 (date) - 备注 (notes, 可选) 数据存储在 `data/expenses.json` 文件中
Use it only on a trusted device, avoid putting highly sensitive details in notes, and protect, back up, or delete the local data files as needed.
The skill may require manual Node.js availability even though the registry metadata does not advertise that requirement.
The registry metadata does not declare a runtime requirement, while the supplied skill documentation and script indicate Node.js is used.
Required binaries (all must exist): none ... Install specifications No install spec — this is an instruction-only skill.
The publisher should declare Node.js as a required binary or provide clear run instructions; users should ensure they are running the included local script with a trusted Node.js installation.