Safety Report

AgentLedger

Name: AgentLedger
Rating: 5 (4 reviews)
Author: c-goro

Expense tracking and accounting for AI agents. Log purchases, set budgets, generate spending reports, and manage multi-currency finances — all stored locally. Privacy.com card import, natural language queries, CSV/JSON export. Use when agents make purchases and need a financial audit trail.

2,562Downloads

3Installs

4Stars

2Versions

Security & Compliance1,716 E-Commerce1,690 Translation & i18n1,457 Finance & Accounting1,347

Security Analysis

high confidence

Clean

The skill's code, CLI, and runtime instructions are coherent with its stated purpose (local expense tracking) and do not request unrelated credentials, binaries, or network access.

Feb 11, 20268 files

Purpose & Capabilityok

Name/description (expense tracking, budgets, reports, Privacy.com imports) match the included code (ledger, budget, reports, CLI). Required binary is just node and no credentials/config paths are requested, which is proportionate for a local ledger tool.

Instruction Scopeok

SKILL.md instructs only local operations (logging, importing local Privacy.com JSON exports, exporting CSV/JSON, reading/writing workspace/ledger JSON files). It does not instruct the agent to read unrelated system files, access environment secrets, or send data to external endpoints.

Install Mechanismok

There is no remote download/install step in the skill metadata. The package.json and README expect the skill to be copied into the workspace and run with node; that is low-risk and consistent with the skill's purpose.

Credentialsok

The skill declares no required environment variables or credentials and only needs filesystem access in the workspace (package.json lists filesystem permissions). That matches the stated local-storage design and is proportional.

Persistence & Privilegeok

always is false and the skill does not request any elevated or cross-skill privileges. It stores data under workspace/ledger only and does not modify other skills or global agent settings.

Guidance

AgentLedger appears coherent: it runs under Node, stores all data locally under workspace/ledger, and asks for no external credentials. Before installing, consider the following: 1) Privacy of stored data — transactions include receipt URLs, confirmation IDs and free-text context; ensure your workspace is secure and do not import raw exports containing full card numbers. 2) Verify the Privacy.com importer implementation (importPrivacyTransactions) to confirm it only processes local JSON and does not make network calls or log sensitive fields. 3) Inspect the omitted/truncated files for any child_process, eval, or network code (HTTP requests, fetch, axios) if you need high assurance. 4) Run the package in a sandbox or dedicated agent workspace first and run the test suite (node test/ledger.test.js). 5) If you want to prevent autonomous agent use of this skill, set disable-model-invocation or only allow user-invocable usage in your agent policy. Overall this skill is internally consistent with its stated purpose, but you should still validate the importer and keep sensitive exports out of the workspace.

Latest Release

v1.1.1

v1.1.1 — Added summary and keywords for ClawHub listing.

Popular Skills

Telegram Footer Patch

@C-Joey · 4 stars

Asana (PAT)

@L-U-C-K-Y · 2 stars

Telegram Usage Stats

@c-drew · 1 stars

Provider Sync

@C-Joey · 1 stars

Playwright CLI Automation

@Michael-C-Matias · 0 stars

Bind Protocol MCP Server Use

@jason-c-child · 0 stars

Published by @c-goro on ClawHub