Konto
ReviewAudited by ClawScan on May 10, 2026.
Overview
Konto looks like a read-only finance API helper, but its local-deployment description and metadata do not match its remote API-key access to sensitive financial data.
Only install this if you trust the Konto service and are comfortable letting an agent use a Konto API key to read your personal financial data. Confirm whether you intend to use the hosted URL or a local instance, and avoid providing an analytics-scope key unless you specifically need that broader access.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting a local setup helper, while the skill actually helps an agent query a remote finance API containing private account and transaction data.
The user-facing description says the skill is for local deployment, but SKILL.md and scripts/konto.sh configure/query a hosted API at https://konto.angelstreet.io. For a personal finance tool, this mismatch can mislead users about where their data is being accessed.
Description: Deploy and run Konto (personal finance dashboard) locally.
Update the description and docs to clearly state whether this is a local deployment helper or a remote API-query helper, and disclose the default remote service before users provide an API key.
If the API key is present, the agent can retrieve sensitive financial information such as balances, transactions, investments, loans, and assets, despite the registry metadata not warning about a required credential.
This conflicts with SKILL.md's setup instructions for KONTO_API_KEY and scripts/konto.sh sourcing ~/.openclaw/secrets/konto.env. The skill needs credentialed access to a personal finance account but does not declare that credential contract in metadata.
Required env vars: none ... Primary credential: none
Declare KONTO_API_KEY, KONTO_URL, and the secrets file path in metadata, and clearly document the exact data the key permits the agent to read.
A broader analytics-scope key could be used through this skill even though the main skill description emphasizes personal finance queries.
The helper script supports analytics endpoints. api.md documents that these require an analytics-scope key, while SKILL.md says the skill uses a personal scope key and points cross-user analytics to a separate konto-analytics skill.
analytics) curl -s -H "$AUTH" "$URL/api/v1/analytics/${2:-demographics}" ;;Remove analytics access from this personal skill or clearly declare the optional analytics scope and when it should be used.
Users have less assurance that the reviewed package metadata matches the registry entry they are installing.
The packaged _meta.json lists a different owner/version than the registry metadata shown for this review. Combined with unknown source and no homepage, this is a provenance gap for a finance-related skill.
{"ownerId": "kn73vp5rarc3b14rc7wjcw8f8580t5d1", "slug": "konto", "version": "1.0.0"Align packaged metadata with the registry record and provide a verifiable source or homepage.