ClawHub
Back to skill
v0.0.1

Wallet (By Budgetbakers)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:46 AM.

Analysis

This is a coherent read-only helper for the BudgetBakers Wallet API, but users should notice that it requires a Wallet API token and can expose personal finance data to the agent.

GuidanceThis skill appears purpose-aligned and read-only, but it handles financial account and transaction data through a bearer API token. Install/use it only if you trust the skill publisher and are comfortable letting your agent query Wallet data; keep the token revocable and avoid leaving it set in broad environments.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none

The registry metadata does not advertise the required credential/provenance, even though the skill documentation and script require WALLET_API_TOKEN. This is a metadata/provenance gap rather than evidence of hidden behavior.

User impactA user reviewing only registry metadata may not realize before opening the skill files that it needs a Wallet API token and handles financial data.
RecommendationVerify the skill source before providing a token, and the publisher should update metadata to declare WALLET_API_TOKEN, the curl dependency, and a trustworthy homepage/source.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
scripts/wallet-api.sh
TOKEN="${WALLET_API_TOKEN:-}" ... -H "Authorization: Bearer ${TOKEN}"

The helper requires a user-supplied Wallet API token and sends it as a bearer token to the BudgetBakers Wallet API. This is expected for the stated purpose, but it grants delegated access to personal finance data.

User impactIf used, the agent can retrieve Wallet account, transaction, budget, and profile information available to that API token.
RecommendationUse a dedicated/revocable API token if possible, set WALLET_API_TOKEN only in environments where you intend to use this skill, and revoke the token if you no longer need the integration.