ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Konto API

v1.0.0

Access personal finance data from Konto including accounts, transactions, investments, assets, loans, subscriptions, and net worth summaries via API.

0· 330·0 current·0 all-time
by@angelstreet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (personal finance access) match the included scripts and API docs. Minor inconsistency: the registry metadata declares no required environment variables or primary credential, but the SKILL.md and scripts clearly expect KONTO_API_KEY and KONTO_URL.
Instruction Scope
Runtime instructions are explicit: source ~/.openclaw/secrets/konto.env and call Konto endpoints with curl. The skill reads only that secrets file and its included workspace script; it also documents analytics endpoints which require a separate analytics-scoped key. No unexpected file reads, broad system probing, or exfil endpoints beyond the configured KONTO_URL.
Install Mechanism
No install spec; this is instruction-only plus a small bash helper script included in the package. Risk is low because nothing is downloaded or extracted during install.
Credentials
The behavior requires KONTO_API_KEY and KONTO_URL (and optionally an analytics-scoped key) which are proportionate to the stated functionality. However, the skill registry did not declare these required env vars or a primary credential — a metadata omission that can mislead users about what secrets are needed.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent system-wide privileges or modify other skills; it only reads a user-held secrets file and runs curl from the included script.
Assessment
This skill appears to do what it says (call Konto API endpoints) and needs an API key and base URL. Before installing: (1) Be aware the SKILL.md asks you to store KONTO_API_KEY and KONTO_URL in ~/.openclaw/secrets/konto.env even though the registry metadata doesn't list them — the metadata omission is benign but confusing. (2) Only use an API key issued by a trusted Konto instance; confirm KONTO_URL is correct (default points at konto.angelstreet.io). (3) Limit file permissions on the secrets file (chmod 600) or use your platform's secret manager instead of a plaintext file. (4) The skill can call analytics endpoints if you supply an analytics-scoped key — only provide that key if you intend cross-user analytics. (5) The source/homepage is unknown; if you need stronger assurance, validate the owner identity or run the script in an isolated environment before giving it real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bfhdthv02tx1bxh6eq98fch821rxg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Konto — Personal Finance API

Query personal finance data from Konto (bank accounts, investments, assets, loans, transactions).

Setup

# ~/.openclaw/secrets/konto.env
export KONTO_API_KEY="konto_xxxxxxxxxxxx"
export KONTO_URL="https://konto.angelstreet.io"

Quick Answers

"How much BTC do I have?"

source ~/.openclaw/secrets/konto.env
curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/investments" | jq '.investments[] | select(.code | test("BTC|bitcoin"; "i")) | {label, quantity, current_value}'

"What's my net worth?"

curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/summary" | jq '{patrimoine_net, accounts: .accounts.total_balance, investments: .investments.total_value, assets: .assets.total_value, loans: .loans.total_remaining}'

"When does my loan end?"

curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/loans" | jq '.loans[] | {name, remaining_amount, end_date, monthly_payment}'

"What are my subscriptions?"

curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/summary" | jq '{count: .subscriptions.count, monthly: .subscriptions.monthly}'

"How much do I spend on housing?"

curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/transactions?months=6&category=logement" | jq '{total: .total, transactions: [.transactions[] | {date, label, amount}]}'

"Financial overview"

curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/summary"

Helper Script

bash ~/.openclaw/workspace/skills/konto/scripts/konto.sh summary
bash ~/.openclaw/workspace/skills/konto/scripts/konto.sh investments
bash ~/.openclaw/workspace/skills/konto/scripts/konto.sh transactions 3  # last 3 months
bash ~/.openclaw/workspace/skills/konto/scripts/konto.sh loans
bash ~/.openclaw/workspace/skills/konto/scripts/konto.sh assets
bash ~/.openclaw/workspace/skills/konto/scripts/konto.sh accounts

Endpoints

EndpointDescription
GET /api/v1/summaryFull financial overview (start here)
GET /api/v1/accountsBank accounts list
GET /api/v1/transactions?months=6&category=XCategorized transactions
GET /api/v1/investmentsPortfolio (ETFs, stocks, crypto)
GET /api/v1/assetsReal estate, vehicles
GET /api/v1/loansActive loans

Full API Reference

See ~/shared/projects/konto/docs/api.md for complete docs including analytics endpoints.

Scope

This skill uses a personal scope key (free). For cross-user analytics (pro), see the konto-analytics skill.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…