Expense Tracker v2 — Expense工具
v1.1.0[AI辅助] Track expenses and income with multi-backend storage (local/Notion/Google Sheet/Supabase). Credentials are encrypted with AES-256-GCM. Use when user wants to...
0· 333·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior broadly matches its description (local/Notion/Supabase storage with encrypted credentials), but the included script contains coding errors and there is a truncated file listing so I cannot confirm there are no hidden actions; review and testing are recommended before trusting any secrets to it.
评估建议
What to check before you install or run this skill:
- Review the full script contents (the provided file listing was truncated); ensure the rest of the code contains only the expected CLI parsing and no hidden network endpoints or telemetry. If you can, open the complete scripts/expense-tracker.js.
- Do not paste real API keys or master passwords until you validate the code. Instead, test with throwaway/test credentials or in a sandboxed account.
- The script saves encrypted credentials to ~/.o...详细分析 ▾
✓ 用途与能力
Name/description describe multi-backend expense tracking. The JS script implements local, Notion, and Supabase backends and prompts for the expected credentials. There are no unrelated environment variables, binaries, or surprising permissions requested in metadata.
ℹ 指令范围
SKILL.md and the script instruct the agent/CLI to store encrypted config under ~/.openclaw/expense-tracker/config.enc and store data in ~/expenses.json (or user-specified path). That is within scope. The runtime instructions and code interact with Notion and Supabase endpoints using user-supplied keys only. However the SKILL.md + code prompt for interactive passwords and may behave incorrectly due to coding bugs (non-blocking password prompt path, incorrect readline usage), which could lead to unexpected fallback to local storage or saved config not being used. No evidence of exfiltration to third-party endpoints beyond the declared backends.
✓ 安装机制
This is instruction-only with a shipped script; there is no install spec that downloads remote archives or runs arbitrary installers. That minimizes install-time risk. The script will be written to disk only if the user installs it locally; no package-manager installs or external URLs are used by the skill itself.
✓ 凭证需求
The skill requests no environment variables and only asks the user for the service credentials required for the claimed backends (Notion API key + DB ID, Supabase URL + key, Google Sheets credentials path). These requests are proportionate to the described capabilities. The credentials are stored under the skill's own config directory rather than in system-wide configuration, which is expected.
✓ 持久化与权限
The skill is not forced-always and does not request elevated platform privileges. It writes configuration and data files into the user's home directory (~/.openclaw/expense-tracker and ~/expenses.json), which is appropriate for a CLI app. It does not appear to modify other skills or system-wide agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/3/3
Added AES-256-GCM encryption for credentials storage
● 可疑
安装命令 点击复制
官方npx clawhub@latest install expense-tracker-v2
镜像加速npx clawhub@latest install expense-tracker-v2 --registry https://cn.clawhub-mirror.com
技能文档
Quick 开始
Initial Setup (第一个 时间)
expense-tracker setup
This will:
- Ask 您 到 设置 master 密码 (对于 encrypting credentials)
- Select storage backend 和 configure API keys
Storage backends:
- Local file - 否 配置 needed
- Notion - Requires API 键 + 数据库 ID
- Google Sheet - Requires credentials path + Spreadsheet ID
- Supabase - Requires URL + Anon 键
设置 密码 (对于 Subsequent Uses)
expense-tracker pass
Or enter interactively when prompted.
记录 Expense
expense-tracker add -50 "lunch" food
# Format: expense-tracker add
# Negative amount = expense
记录 Income
expense-tracker add 5000 "salary" salary
# Positive amount = income
视图 Records
expense-tracker list # Recent 10 records
expense-tracker list --month # This month
expense-tracker list --category # By category
Statistics
expense-tracker stats # This month
expense-tracker stats -m 2 # 2 months ago
Security
Credentials are encrypted using AES-256-GCM with PBKDF2 key derivation.
- 配置 file:
~/.openclaw/expense-tracker/配置.enc - Never stores plain text passwords 或 API keys
Categories
food- Food & Diningtransport- Transportationshopping- Shoppingentertainment- Entertainmentsalary- Salarybonus- Bonusinvestment- Investment其他- 其他
Commands Reference
| Command | Description |
|---|---|
setup | Set password & configure backend (first time) |
pass | Set password for decryption |
add | Add new record |
list | View recent records |
list --month | This month's records |
list --category | Group by category |
stats | Monthly summary |
stats -m | N months ago |
Data 格式
Each record:
{
"id": "uuid",
"type": "expense|income",
"amount": -50,
"category": "food",
"note": "lunch",
"date": "2026-03-03",
"created_at": "2026-03-03T20:23:00Z"
}
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制