ClawHub
Back to skill
v1.0.0

expense-note

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

This appears to be a local-only expense tracker with no exfiltration or hidden high-impact behavior, but it persists personal spending data in local JSON files.

GuidanceThis is reasonable for a simple local expense tracker. Before installing, understand that your spending records will be saved in local JSON/report files, clear any bundled sample data if you do not want it mixed into your records, and make sure Node.js is available if you plan to run the included script.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none ... Install specifications
No install spec — this is an instruction-only skill.

The registry metadata does not declare a runtime requirement, while the supplied skill documentation and script indicate Node.js is used.

User impactThe skill may require manual Node.js availability even though the registry metadata does not advertise that requirement.
RecommendationThe publisher should declare Node.js as a required binary or provide clear run instructions; users should ensure they are running the included local script with a trusted Node.js installation.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
每条开销记录包含:
- 描述 (description)
- 金额 (amount)
- 分类 (category)
- 日期 (date)
- 备注 (notes, 可选)

数据存储在 `data/expenses.json` 文件中

The skill intentionally stores personal expense details persistently in a local JSON file.

User impactAnyone with access to the device, backups, or exported report files may be able to read the user's spending history and notes.
RecommendationUse it only on a trusted device, avoid putting highly sensitive details in notes, and protect, back up, or delete the local data files as needed.