Konto API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a read-only Konto finance API helper, but it requires a sensitive API key and should only be used with a trusted provider and limited scope.
Only install this if you trust the Konto API provider and maintainer. Use a least-privilege personal API key, keep `~/.openclaw/secrets/konto.env` private, verify the helper script path before running it, and ask the agent not to fetch or share financial details unless you explicitly want that.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with access to this key can retrieve sensitive financial information from the Konto API.
The skill requires a bearer API key and uses it to retrieve personal finance summaries and related data. This is expected for the stated purpose, but it is sensitive and not declared in the registry credential metadata.
export KONTO_API_KEY="konto_xxxxxxxxxxxx" ... curl -s -H "Authorization: Bearer $KONTO_API_KEY" "$KONTO_URL/api/v1/summary"
Use a personal-scope, least-privilege Konto key; store it securely; rotate it if exposed; and avoid sharing command outputs that contain financial details.
If an analytics-scoped key is placed in the same secrets file, this skill can access broader aggregate analytics than the main personal-finance purpose suggests.
The helper can call analytics endpoints even though SKILL.md says this skill uses a personal scope key and points cross-user analytics to a separate `konto-analytics` skill. The API docs disclose that analytics requires a separate scope and is read-only aggregate data.
analytics) curl -s -H "$AUTH" "$URL/api/v1/analytics/${2:-demographics}" ;;Use a personal-scope key for this skill unless you intentionally want analytics access; separate analytics credentials into the dedicated analytics workflow.
Users have less independent information for deciding whether to trust the integration before entering a sensitive API key.
The artifacts do not provide a public source or homepage to verify the maintainer or service provenance, which matters more because the skill handles a financial API key.
Source: unknown Homepage: none
Verify the Konto service URL, maintainer, and expected API key scope before configuring credentials.