Subscription Tracker

Tracks and analyzes recurring charges from uploaded bank statements without bank linking, alerts upcoming renewals, duplicates, price hikes, and aids cancell...

What to check before you install - Inspect setup.sh and renewal-check.sh before running them. Look for any network calls, curl/wget/http requests, or code that writes outside ~/.normieclaw. If setup.sh registers cron jobs or systemd timers, ensure the scheduling behavior matches what you want. - Confirm PDF extraction: SKILL.md expects a 'pdf' tool for text extraction but the skill doesn't declare that dependency. Determine which binary or plugin the agent will call (pdftotext, pdfgrep, or a third-party tool), and install a trusted one if you need PDF parsing. - Be aware of data sent to the LLM: SECURITY.md admits that statement contents are sent to your model provider as conversation context. If you use a cloud-hosted model, that provider may log or retain data per their policy. If this is a concern, run the agent with a local model or avoid uploading full statements. - Check exported files and directory permissions: ~/.normieclaw/subscription-tracker will contain sensitive financial data and stored statements. Restrict filesystem permissions (chmod 700 ~/.normieclaw and 600 for subscriptions.json) and back up/delete as needed. The README includes an rm -rf command for deletion — verify it before running. - Verify no hidden endpoints: The visible scripts and config do not show external endpoints, but some files were truncated. If you are not comfortable reviewing the remaining scripts, do not run setup.sh and instead manually create the ~/.normieclaw layout and run only the scripts you trust. - jq and other tooling: export-subs.sh requires jq (and uses bc). Ensure you install trustworthy packages from your OS package manager. Why I flagged this as suspicious (not malicious) - The skill is coherent for its stated purpose and the visible scripts are benign. The reasons for 'suspicious' are (1) truncated/not-shown scripts could implement scheduled runs or network behavior you should verify, (2) the unspecified 'pdf' tool could cause the agent to call unexpected binaries or plugins, and (3) automatic sending of statement contents to the model provider increases privacy risk if scheduled or automated runs occur. These are all explainable design decisions for this type of tool, but they merit explicit review before installation. If you want, I can (a) show the full contents of setup.sh and renewal-check.sh (if you paste them) and point out any risky calls, or (b) provide a safe, minimal manual-install checklist so you can use the tool without granting it scheduled execution rights.

Type: OpenClaw Skill Name: normieclaw-subscription-tracker Version: 1.0.3 The Subscription Tracker skill bundle is a well-structured tool for managing recurring expenses locally without external bank integrations. It uses Bash scripts (setup.sh, export-subs.sh, renewal-check.sh) and jq to process transaction data from user-uploaded CSV/PDF statements into a local JSON database. Security practices are evident, such as the setup script enforcing restricted file permissions (700/600) on sensitive data directories. No indicators of malicious intent, data exfiltration, or prompt injection were found; the tool functions entirely within the local environment and provides clear documentation regarding data privacy and AI processing risks.