ClawHub

Up Bank

v1.0.0

Read-only access to Up Bank accounts, transactions, categories, and tags

0· 61·0 current·0 all-time
byAshley Jackson@ashleyjackson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (read-only Up Bank access) match the declared requirement (UP_API_TOKEN) and the listed endpoints. No unrelated binaries, services, or credentials are requested.
Instruction Scope
SKILL.md describes only read-only API calls and explicitly requires JIT approval per request and not storing tokens. Minor inconsistency to note: the doc asks for JIT approval yet also instructs users to set UP_API_TOKEN as an environment variable—setting the env var is fine for a short-lived session but persistent global ENV storage would contradict the stated 'do not store tokens permanently' guidance.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install profile (nothing is downloaded or written to disk by the skill itself).
Credentials
Only a single credential (UP_API_TOKEN) is required, which is appropriate for the stated read-only API functionality. No other sensitive env vars or unrelated credentials are requested.
Persistence & Privilege
Skill is not always-enabled and uses default autonomous invocation settings. Nothing requests elevated or system-wide persistence; SKILL.md discourages permanent token storage.
Assessment
This skill appears internally consistent for read-only Up Bank access, but note the publisher/source is listed as unknown and there is no homepage — you cannot verify the author from the package metadata. Before installing: (1) prefer providing the UP_API_TOKEN only at runtime (or use a short-lived token) instead of storing it globally in your shell profile; (2) restrict the token's scope and revoke it if you stop using the skill; (3) require the skill to ask for explicit approval before each API call (the SKILL.md says JIT approval is required); and (4) if you want stricter limits, disable autonomous invocation for this skill so it cannot run without you initiating it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aq9xaggmtkdsa5sdcpm2g0584b95a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏦 Clawdis
EnvUP_API_TOKEN
Primary envUP_API_TOKEN

Comments