Actual AI CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly purpose-aligned, but its diagnostic script may print API key values from the Actual config because its redaction logic is incomplete.
Before installing, verify the Actual CLI source, prefer dry-run and interactive confirmation over --force, and review generated CLAUDE.md/AGENTS.md/Cursor rule changes. Avoid running scripts/diagnose.sh or sharing `actual config show` output with real credentials unless you have confirmed all secrets are masked.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A troubleshooting run could reveal API keys or other sensitive configuration values to the agent session or logs.
The script prints full config output and only redacts api_key lines containing specific token prefixes such as sk- or key-. API keys with other formats, such as Cursor keys or future provider formats, could be printed into the agent transcript despite the script claiming it never prints secrets.
config_output=$(actual config show 2>&1) || config_output="(could not read config)"
...
case "$line" in
*api_key*:*sk-*|*api_key*:*key-*)
field=$(echo "$line" | cut -d: -f1)
info "$field: [REDACTED]"
;;
*)
[ -n "$line" ] && info "$line"
;;Do not run the diagnostic script with real credentials until redaction is broadened to suppress all api_key fields regardless of value format, or confirm that the underlying CLI already masks secrets.
Incorrect or unwanted ADR guidance could persist in project instruction files and influence future agent work.
The skill’s intended output is persistent instruction files that future coding agents and Cursor may automatically consume. This is disclosed and purpose-aligned, but it can affect later agent behavior.
| claude-md | `CLAUDE.md` | `# Project Guidelines` | Claude Code (default) | | agents-md | `AGENTS.md` | `# Project Guidelines` | OpenCode and other agent tools | | cursor-rules | `.cursor/rules/actual-policies.mdc` | YAML frontmatter | Cursor IDE | ... `alwaysApply: true` ensures the policies are always active in Cursor.
Review generated CLAUDE.md, AGENTS.md, and Cursor rule changes before accepting them, especially when ADRs come from remote services or are AI-tailored.
If used casually, --force could update project guidance files without the user reviewing the exact changes first.
The CLI documents a no-confirmation mode for writing generated ADR guidance. This is purpose-aligned, but it removes the normal review checkpoints for changes to agent instruction files.
`--force` flag: Skips this confirmation and writes all files.
Prefer `actual adr-bot --dry-run` and normal confirmation prompts; reserve `--force` for trusted, reviewed workflows.
Installing or running the external CLI grants it access to the local project and configured provider credentials.
The skill relies on an external Actual CLI installed from package managers or releases. This is central to the stated purpose, but users are still trusting that external binary.
| npm/npx (quickest) | `npm install -g @actualai/actual` | | Homebrew (macOS/Linux) | `brew install actual-software/actual/actual` | | GitHub Release (manual) | Download from `actual-software/actual-releases` on GitHub |
Install Actual only from trusted official sources and keep it updated; verify the package or release source before use.