Just Fucking Cancel
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is purpose-aligned and user-controlled, but users should treat bank transaction data, optional Plaid credentials, and the generated HTML report as sensitive.
This looks reasonable for a manual subscription audit. Use CSV mode if you want the lowest data exposure, only provide Plaid credentials if you intend to use Plaid, and avoid sharing the generated HTML report without redacting service names and amounts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If Plaid mode is used, the skill may access transaction history for a connected bank account through Plaid.
The skill discloses optional Plaid credentials for connected bank transaction access. This is aligned with the subscription-audit purpose, but it is sensitive account-linked authority.
`PLAID_CLIENT_ID`, `PLAID_SECRET`, `PLAID_ACCESS_TOKEN` - Access token for the bank connection
Prefer CSV mode if you do not need Plaid; if using Plaid, use only the intended account connection and revoke or rotate access when finished.
Using Plaid sends financial transaction data to Plaid, while CSV mode is described as local-only.
The artifact clearly discloses an external provider data flow for Plaid mode. This is expected for the integration, but it means transaction data leaves the local workflow.
**Privacy note**: When using Plaid, transaction data is transmitted to Plaid's API. CSV analysis is fully local.
Use Plaid only if you are comfortable with Plaid receiving the transaction data needed for the audit.
A generated report may still contain subscription names and costs even when the privacy toggle is enabled.
The privacy mode visually blurs service names but does not redact them from the HTML, and names can reappear on hover.
body.privacy-mode .service-name { filter: blur(5px); user-select: none; } body.privacy-mode .service-name:hover { filter: none; }Do not share the raw HTML report unless you have reviewed or redacted the underlying service names and amounts.
Users may be unsure whether the skill only provides cancellation links or can automate account changes.
This publishing note conflicts with SKILL.md's runtime statement that there is 'No automated browser interaction.' No executable automation is present, but the documentation inconsistency could confuse users.
- Browser automation for cancellations
Treat the current SKILL.md manual-cancellation workflow as the operative behavior, and update or ignore the stale publishing note before relying on the skill.