Refund Radar
v1.0.1Scan bank statements to detect recurring charges, flag suspicious transactions, and draft refund requests with interactive HTML reports.
⭐ 1· 2k·0 current·0 all-time
byFrancesco@andreolf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a local-first bank-statement auditor, which fits the described inputs/outputs (CSV parsing, detection rules, HTML reports). However the SKILL.md repeatedly instructs running a Python module (python -m refund_radar) but this skill bundle contains no Python code or install mechanism. Either the skill is an instruction-only wrapper that assumes an external program already exists on the user's system, or the package is incomplete. That mismatch is disproportionate to the stated purpose and should be resolved.
Instruction Scope
Instructions reasonably limit scope to reading user-provided CSV/pasted transaction text and writing reports/state under ~/.refund_radar. SKILL.md explicitly states 'No network calls' and 'No external APIs'. There is no instruction to read other system files or access unrelated env vars. The main concern is that instructions delegate work to a local CLI that isn't provided; if the agent or user installs some other code to satisfy those commands, behavior may differ from what's described here.
Install Mechanism
There is no install spec in the skill bundle. The README/changelog and SKILL.md assert 'No external dependencies' and provide CLI usage for a python package, but the bundle lacks that code. That leaves two problematic possibilities: (1) the skill expects the user to separately install https://github.com/andreolf/refund-radar — which must be audited before use — or (2) the agent could try to fetch/execute code from elsewhere to satisfy the CLI, creating a risk. The absence of an included, verifiable install mechanism is a red flag.
Credentials
The skill requires no environment variables, no credentials, and does not request access to unrelated services. It writes persistent state to a user-scoped path (~/.refund_radar) which is proportional to its purpose. Templates include placeholders for card last-4 digits, but that's user-provided data rather than a requested secret.
Persistence & Privilege
The skill writes only to user-home paths (~/.refund_radar/state.json, reports), does not request system-wide changes, and is not configured as always:true. Persistent storage of learned preferences is reasonable for this use case. Confirm permissions and that the path is acceptable for storing sensitive summary data.
What to consider before installing
Key things to check before installing or running: 1) The skill bundle contains only docs, templates, and rules — it does not include the Python code the SKILL.md expects. Verify whether you (or your organization) already have a trusted 'refund-radar' Python package installed; if not, do NOT run arbitrary commands that fetch/execute code without reviewing it. 2) If you plan to install code from the referenced GitHub repo (https://github.com/andreolf/refund-radar), inspect that repository for network calls, telemetry, and how it handles CSV input and state storage before running it on real bank statements. 3) This tool will read sensitive financial data you provide and store analysis under ~/.refund_radar — ensure that location and file permissions meet your privacy requirements and that you back up or securely delete sensitive files when done. 4) The skill claims 'no network calls' — confirm the actual implementation enforces this (offline processing) before supplying real data. 5) The requirement to avoid apostrophes in generated text is odd but harmless; nevertheless, verify generated templates for correctness. If you cannot confirm the upstream code or are unwilling to audit it, treat this skill as untrusted and avoid providing real bank data.Like a lobster shell, security has layers — review code before you run it.
auditvk978s0m27bs25ttr0rcz9vnwr57zzncfbankvk978s0m27bs25ttr0rcz9vnwr57zzncffinancevk978s0m27bs25ttr0rcz9vnwr57zzncflatestvk978s0m27bs25ttr0rcz9vnwr57zzncfprivacyvk978s0m27bs25ttr0rcz9vnwr57zzncfrefundvk978s0m27bs25ttr0rcz9vnwr57zzncfsubscriptionvk978s0m27bs25ttr0rcz9vnwr57zzncf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.