Wallet (By Budgetbakers)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent read-only helper for the BudgetBakers Wallet API, but users should notice that it requires a Wallet API token and can expose personal finance data to the agent.
This skill appears purpose-aligned and read-only, but it handles financial account and transaction data through a bearer API token. Install/use it only if you trust the skill publisher and are comfortable letting your agent query Wallet data; keep the token revocable and avoid leaving it set in broad environments.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent can retrieve Wallet account, transaction, budget, and profile information available to that API token.
The helper requires a user-supplied Wallet API token and sends it as a bearer token to the BudgetBakers Wallet API. This is expected for the stated purpose, but it grants delegated access to personal finance data.
TOKEN="${WALLET_API_TOKEN:-}" ... -H "Authorization: Bearer ${TOKEN}"Use a dedicated/revocable API token if possible, set WALLET_API_TOKEN only in environments where you intend to use this skill, and revoke the token if you no longer need the integration.
A user reviewing only registry metadata may not realize before opening the skill files that it needs a Wallet API token and handles financial data.
The registry metadata does not advertise the required credential/provenance, even though the skill documentation and script require WALLET_API_TOKEN. This is a metadata/provenance gap rather than evidence of hidden behavior.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none
Verify the skill source before providing a token, and the publisher should update metadata to declare WALLET_API_TOKEN, the curl dependency, and a trustworthy homepage/source.