Fiscal
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Actual Budget assistant, but it asks the agent to handle a server password and can change or sync personal finance records, so it deserves review before use.
Use this skill only if you trust the fscl CLI and understand that it can read and change your Actual Budget data. Avoid giving your password directly in chat if possible; run login yourself or use a secure credential mechanism. Before approving imports, rules, deletes, or syncs, ask for a dry-run or draft preview and confirm the exact budget, account, and date range.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be asked to reveal their Actual Budget server password to the agent, and that password may appear in command arguments or logs depending on the runtime environment.
This instructs the agent to collect a server password and pass it as a command-line argument. That is sensitive credential handling for a personal finance system, while the registry metadata declares no primary credential.
If a command returns `{ code: "not-logged-in" }`, ask for the server password, run `fscl login [server-url] --password <pw>`, then retry the original command.Prefer a safer login flow where the user runs `fscl login` themselves or uses a secure prompt/secret mechanism. The skill should declare the credential need and clearly explain how tokens are stored and scoped.
Approved actions can add, edit, delete, import, categorize, or sync budget data, so mistakes could affect financial records.
The skill is explicitly designed to run fscl commands that can modify financial records and sync those changes. The confirmation instruction is a positive guardrail, but users should notice the mutation authority.
confirm financial decisions before executing ... Write commands auto-sync when a server is configured.
Use dry-runs and draft/apply previews for imports, rules, and bulk edits. Confirm the exact account, date range, and changes before allowing write commands.
Installing or running an external CLI package gives that package access to the local environment and budget files.
The skill itself has no install spec, but the documentation references npx/npm installation paths for the external CLI. This is purpose-aligned, but package provenance is not pinned or reviewed in the supplied artifacts.
If init is run as `npx fscl init`, interactive mode also asks whether to install fscl globally with `npm install -g fscl`.
Install fscl only from a trusted source, verify the package/repository, and avoid running npx/npm commands automatically without user review.
Financial transactions, categories, rules, and budget changes may be sent to the configured Actual server.
The skill discloses that write operations may synchronize financial data to a configured Actual Budget server. This is expected for the integration, but it is sensitive data movement.
Read commands (list, show, status) don't sync. Write commands auto-sync when a server is configured.
Confirm the server URL and budget before making changes. Use local mode or dry-runs when testing, and avoid syncing private financial data to an untrusted server.