ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Maybe Finance - 个人财务助手

v1.0.0

Personal finance management skill using Maybe Finance OS. Use when users need to track expenses, analyze budgets, monitor net worth, or manage personal finan...

0· 106·0 current·0 all-time
byantonia huang@antonia-sz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate with a Maybe Finance self‑hosted instance (track transactions, manage accounts, etc.). The SKILL.md instructs you to deploy Maybe and set MAYBE_API_URL and MAYBE_API_TOKEN. However, the provided CLI implementation mainly prints hardcoded/mock data for accounts, transactions, budgets, net worth and never invokes the make_api_request helper. Registry metadata lists no required env vars/credentials despite SKILL.md requiring them. This mismatch suggests the implementation does not deliver the claimed integration.
Instruction Scope
SKILL.md stays within the stated domain (deploy Maybe via Docker, set API URL/token, use CLI commands). It does not instruct reading unrelated system files or sending data to third‑party endpoints. However, the instructions imply network/API activity while the code does not perform it — ambiguous scope: user guidance asks for credentials that the shipped code doesn't actually use in its command handlers.
Install Mechanism
No install spec is provided and the skill is instruction + single Python script. Nothing is downloaded or installed automatically by the skill package itself, which lowers risk.
!
Credentials
SKILL.md requires MAYBE_API_URL and MAYBE_API_TOKEN (reasonable for a remote API integration). But the registry metadata declares no required env vars/primary credential, so the published manifest is inconsistent with the runtime instructions. That inconsistency is concerning because a user could be prompted to provide sensitive API tokens that the package metadata did not advertise. The code reads those env vars but does not use them in the visible command flows.
Persistence & Privilege
The skill does not request always:true and there is no indication it modifies other skills or system-wide settings. Default autonomy flags are unchanged. No special persistence or elevated privilege is requested.
What to consider before installing
This skill is inconsistent: the docs tell you to deploy Maybe Finance and set MAYBE_API_URL and MAYBE_API_TOKEN, but the included CLI mostly prints hardcoded demo data and doesn't actually call the API handlers. Before installing or supplying any API token: 1) Treat the repository as incomplete/demo code, not a finished integrator. 2) Inspect or run the script locally in a safe environment to confirm behavior (it currently prints mock data). 3) Do not provide real API tokens or credentials until you verify the code actually uses them correctly and securely. 4) Ask the publisher/author why registry metadata omits the required env vars and whether a future release will implement real API calls. 5) Prefer getting a version from the official upstream Maybe Finance project or a trusted maintainer; run any networked code behind firewall/monitoring if you must test it.

Like a lobster shell, security has layers — review code before you run it.

budgetvk976qync7e8vzfzs16pvt1sb9983bc7afinancevk976qync7e8vzfzs16pvt1sb9983bc7alatestvk976qync7e8vzfzs16pvt1sb9983bc7apersonal-financevk976qync7e8vzfzs16pvt1sb9983bc7a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments