← Back to Skills Marketplace
595
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install recite
Description
AI-powered receipt scanning that renames files by date/vendor, extracts transaction details, and logs them in a dynamic bookkeeping CSV.
Usage Guidance
Before installing or running this skill: (1) Understand that receipts (full images/PDFs) are uploaded to a third-party endpoint (recite.rivra.dev). Only proceed if you trust that service and its privacy/security practices. (2) The registry metadata does not list the required RECITE_API_KEY even though both SKILL.md and the script require it — treat the key as mandatory. (3) The SKILL.md promises behavior (reading long_term_memory.md and skipping rows when fields disappear) that the script does not implement; expect the script to write blanks or add new columns rather than skipping entries. (4) Back up your receipt folder before a run (files will be renamed) and test on a small set first. (5) If you need stronger privacy guarantees, request or implement an offline/local OCR alternative instead of sending images to an external API. (6) If you plan to use this skill in production, ask the author for corrected registry metadata, documentation that matches the code, and a privacy/security statement for the recite.rivra.dev endpoint.
Capability Analysis
Type: OpenClaw Skill
Name: recite
Version: 1.0.1
The skill's core functionality is benign, but the `process_receipts.py` script contains a path traversal vulnerability. It uses `sys.argv[1]` (target directory) and API-provided `vendor` and `date` fields directly in `os.path.join` and `os.rename` without robust sanitization, potentially allowing files to be renamed or moved to arbitrary locations if malicious input or API responses are provided. Furthermore, `SKILL.md` and `README.md` instruct the AI agent to read `long_term_memory.md` for custom instructions, creating a prompt injection surface against the agent, though the skill itself does not contain malicious instructions in this file.
Capability Assessment
Purpose & Capability
The code implements receipt scanning, renaming, and CSV bookkeeping consistent with the skill description. However, the registry metadata declares no required environment variables while the SKILL.md and the script both require a RECITE_API_KEY (or ~/.config/recite/config.json). That missing declaration is an incoherence that could mislead users and automated gating systems.
Instruction Scope
SKILL.md promises the agent will always read the skill's long_term_memory.md and that the agent will 'skip saving' rows when previously-present CSV fields are missing. The script defines a read_ltm() helper but never calls it, so LTM is not actually used. Also, the CSV logic does not 'skip' rows when fields are missing — it writes blanks or expands headers — so the documentation overstates behavior.
Install Mechanism
No install spec or remote downloads; the skill is instruction + a local Python script. That keeps installation risk low (nothing arbitrary is fetched or executed at install time).
Credentials
The script requires a Recite API key (RECITE_API_KEY or ~/.config/recite/config.json) but the registry metadata lists no required credentials. Additionally, the skill sends entire receipt files (base64-encoded) to https://recite.rivra.dev/apiV1/api/v1/scan — a potentially sensitive external endpoint. Requesting an API key for the service you integrate with is expected, but the missing registry declaration and external exfiltration of full images are proportionality/privacy concerns users must be aware of.
Persistence & Privilege
The skill does not request elevated platform privileges or permanent inclusion (always:false). It modifies files in the user-specified target folder (renaming and appending a CSV), which is coherent with its stated purpose. Autonomous invocation is allowed (platform default) but not by itself a new risk here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install recite - After installation, invoke the skill by name or use
/recite - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
ASO update: Enhanced description with receipt/receipts, invoice/invoices, transactions/expenses, tax & accounting keywords.
v1.0.0
Initial release: AI-powered receipt scanning and bookkeeping.
Metadata
Frequently Asked Questions
What is Recite?
AI-powered receipt scanning that renames files by date/vendor, extracts transaction details, and logs them in a dynamic bookkeeping CSV. It is an AI Agent Skill for Claude Code / OpenClaw, with 595 downloads so far.
How do I install Recite?
Run "/install recite" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Recite free?
Yes, Recite is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Recite support?
Recite is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Recite?
It is built and maintained by rivradev (@rivradev); the current version is v1.0.1.
More Skills