智能记账助手 v2.0 | AI Expense Tracker. 支持语音记账、预算提醒、周月报推送、智能分类。
Security Analysis
high confidenceThis skill markets advanced expense-tracking features but provides only a payment/sales note and no technical integration, credentials, or runtime instructions — the mismatch and the embedded payment flow are suspicious.
The description promises voice recognition, automatic classification, push reports, multi-user and paid tiers, but the skill is instruction-only with no code, no API endpoints, no required credentials, and no install spec. There is an internal metadata line saying it requires 'jq' (in SKILL.md) but the registry metadata lists no required binaries — this inconsistency suggests the skill cannot actually perform the claimed features as provided.
SKILL.md is essentially marketing and a manual payment flow (scan & send screenshot). It contains no concrete runtime instructions for how the agent should perform voice transcription, send push reports, store or retrieve user data, or verify payments. The payment flow requires users to send screenshots of payments for manual activation — a social-engineering risk and operationally unclear for an autonomous agent.
There is no install spec and no code files (instruction-only), so nothing will be downloaded or written to disk by an installer. This limits direct code-execution risk but also means promised features have no backing implementation in the package.
The skill requests no environment variables or credentials but claims features (voice recognition, push notifications, QQ integration, multi-user accounts) that would normally require service credentials, API keys, or backend access. Also, developer payment account info is embedded in the SKILL.md — not sensitive by itself, but unusual for a skill manifest and raises trust questions.
always:false and no install actions or declared config paths. The skill does not request persistent presence or system-wide configuration changes.
Guidance
Do not pay or send screenshots to this skill yet. It currently looks like a sales/marketing page rather than a working integration: there is no code, no APIs, no credentials, and no clear verification/activation process. Ask the publisher for: (1) source code or a hosted homepage, (2) a clear technical spec describing how voice messages, classification, and push reports are implemented (APIs, endpoints, required credentials), (3) privacy and data-handling policies for voice and financial data, and (4) an automated, verifiable activation flow (not just ‘send a screenshot’). If you consider paying, verify the recipient identity through an independent channel and prefer skills with published source or known vendors.
Latest Release
v1.0.1
- Added detailed payment instructions for Alipay and QQ Pay, including account info and QR code guidance. - Expanded description to highlight voice input, budget reminders, and auto-generated weekly/monthly reports. - Listed core features with icons for clarity (voice tracking, budget alerts, reports, smart categorization). - Introduced clear pricing tiers (Free, Basic, Pro, Enterprise) with associated features and payment options. - Outlined a step-by-step subscription and payment process for easier onboarding.
More by @huyong2023
Published by @huyong2023 on ClawHub
