ClawHub

Konto

v1.1.0

Deploy and run Konto (personal finance dashboard) locally. Use when setting up a new Konto instance, troubleshooting installation, or helping users get start...

0· 368·1 current·1 all-time
by@angelstreet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description says 'Deploy and run Konto (personal finance dashboard) locally' but the SKILL.md, api.md, and helper script are purely an API client / query helper (curl + jq) and contain no deployment or build instructions. That mismatch could be benign (misleading description) but is an incoherence a user should be aware of.
Instruction Scope
Runtime instructions consistently tell the agent/user to source ~/.openclaw/secrets/konto.env and then curl Konto endpoints. The instructions do not read other system files or credentials beyond that secrets file. They do not attempt to exfiltrate data to unexpected endpoints. Note: example default endpoints differ between files (SKILL.md/script use https://konto.angelstreet.io while api.md lists default http://localhost:5004).
Install Mechanism
There is no install spec (instruction-only) and the only bundled code is a small helper script (konto.sh) that issues curl calls. Nothing in the package downloads or extracts remote code during install.
Credentials
The skill requires an API key and URL (KONTO_API_KEY, KONTO_URL) to function; that is proportionate for an API client. However, the registry metadata lists no required env vars while the SKILL.md and script explicitly expect ~/.openclaw/secrets/konto.env — a minor metadata omission that could confuse users. Ensure you only provide the key to a trusted URL.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills or system-wide configuration, and doesn't persist tokens beyond reading the user's secrets file. It runs as an on-demand helper.
What to consider before installing
This skill appears to be a simple API client for a Konto service (it curls endpoints and expects an API key). Before installing or using it: 1) Be aware that the package description claims it will 'deploy' Konto locally but there are no deployment steps — if you wanted a deploy script, ask the author or reject the skill. 2) The helper script and SKILL.md source ~/.openclaw/secrets/konto.env — do not put secrets there unless you trust the endpoint. Confirm KONTO_URL is the host you expect (script defaults to https://konto.angelstreet.io while api.md mentions localhost). 3) Inspect or run the script yourself in a restricted environment (or a container) to verify behavior; the script only issues curl requests, but those requests will reveal your API key to the configured URL. 4) If you need analytics endpoints, note they require a different scope; only give that key if you understand the implications. If you want deployment instructions or source for running Konto locally, request those explicitly — they are not included here.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdwvzagppnhpab0j2awy93n82cevf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments