Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Snarky Expense Butler
v1.0.0毒舌记账管家,支持记账、查询、预算提醒、毒舌消费分析、地域统计、趋势图。当用户提到记账、消费、花销、支出、记一笔、消费分析、预算、记个账时触发。NOT for: 股票/投资分析、记账软件推荐。
⭐ 0· 87·0 current·0 all-time
by@ybl2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (local, snarky expense tracker) match the included Python scripts and SKILL.md. Functionality (add/query/analysis/budget/location/trends/report) is implemented by the bundled scripts. No unrelated credentials, binaries, or surprising capabilities are requested.
Instruction Scope
SKILL.md instructs local operation using ./expense_records.json and an optional trends directory; the scripts follow that behavior. The scripts read/write only the declared local data file and trends dir, and implement described commands (including backfill which modifies historical records). No instructions direct broad system scanning, secret harvesting, or sending user data to unexpected endpoints by default.
Install Mechanism
No install spec; this is instruction + source bundle only. All code is included in the package (no network downloads or extracted archives during install).
Credentials
No required environment variables are declared. Several scripts optionally read EXPENSE_DATA_FILE and EXPENSE_TRENDS_DIR (expected). expense_trends.py optionally reads OPENROUTER_API_KEY and will attempt an HTTPS call to openrouter.ai when that key is present; it also attempts to read ~/.openclaw/openclaw.json (non-sensitive config lookup) but does not extract system keychain contents. The optional OpenRouter usage can transmit summarized chart data to an external service if you supply the API key.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It stores/updates only the local expense_records.json and generated images in the trends directory as described; backfill and add_expense modify that file intentionally.
Assessment
This package appears to be a straightforward local expense tracker. Key points to consider before installing/using:
- Data storage: Your expenses are stored in a local JSON file (default: scripts/expense_records.json). Backups and file permissions are recommended because the scripts will read/write and can modify historical records (e.g., backfill).
- Optional network use: expense_trends.py will attempt to call openrouter.ai if you set OPENROUTER_API_KEY in your environment. That call would send the chart data (labels and amounts) to the external service to request an image. If you do not set that API key, the code falls back to local matplotlib. Only set an API key if you trust the external service and are comfortable sending this data.
- Config file read: the trends script tries to read ~/.openclaw/openclaw.json as a convenience; it does not appear to exfiltrate keys or attempt to access system keychains.
- Inspect/lock the data file: Because the tool writes plain JSON, anyone with filesystem access to that path can read your financial data. Consider using filesystem permissions or placing the file in a secure location and setting EXPENSE_DATA_FILE/EXPENSE_TRENDS_DIR accordingly.
- Autonomy: The skill can be invoked by the agent (default platform behavior) but it does not autonomously send data unless you provide an external API key and run the trends command.
If these behaviors match your expectations, the skill is coherent with its description. If you are uncomfortable with potential network calls, avoid setting OPENROUTER_API_KEY or audit/modify expense_trends.py to remove the remote call.Like a lobster shell, security has layers — review code before you run it.
latestvk97de5g6thpazhhwwy9nf5yy9n835rdc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis