ClawHub

Wallet (By Budgetbakers)

v0.0.1

Interact with the BudgetBakers Wallet API for personal finance data. Use when the user needs to query accounts, categories, transactions (records), budgets,...

0· 578·0 current·0 all-time
byCarlos Andres@andresubri
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, description, SKILL.md, and included script are coherent: they call BudgetBakers' Wallet API and require a bearer token. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md and scripts clearly require WALLET_API_TOKEN. This metadata omission is inconsistent and should be corrected.
Instruction Scope
The runtime instructions and script are narrowly scoped to calling the BudgetBakers Wallet REST API endpoints. They only reference WALLET_API_TOKEN and do not read other system files, config paths, or contact unexpected endpoints.
Install Mechanism
This is an instruction-only skill with a small shell helper script and no install spec — low-risk from an installation perspective (no downloads or archive extraction).
!
Credentials
The script legitimately requires a single API token (WALLET_API_TOKEN) which is proportionate to the task. The concern is that the skill registry metadata does not declare this required secret; that mismatch could lead to accidental token disclosure or misconfiguration and prevents automated platforms from prompting for the credential properly.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false) and does not modify other skills or system-wide settings. It only runs the included script when invoked.
What to consider before installing
The code and instructions look like a simple Wallet API wrapper and only need your WALLET_API_TOKEN. Before installing: (1) confirm the skill's source/homepage or maintainer since 'Source' and 'Homepage' are missing; (2) do not paste your real token publicly—ensure the token has limited scope and can be revoked; (3) ask the publisher or registry to update metadata to list WALLET_API_TOKEN as a required credential so the platform can handle it safely; (4) verify network traffic goes only to rest.budgetbakers.com if you need stronger assurance (the script currently only contacts that host). If you can't verify the publisher or metadata, treat this as higher risk and avoid installing until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk971v2fgxeq2j5s1gpv549xv1h818nvq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments