Shelter
v1.0.3Connect to your Shelter financial data. Check safe-to-spend, predict cash crunches, find zombie subscriptions, simulate purchases, get AI coaching, and ask G...
⭐ 0· 459·0 current·0 all-time
byBrian Palmer@code-with-brian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim a read-only financial coaching integration with Shelter; required binary (curl) and a single credential (SHELTER_API_KEY) align with making authenticated HTTP calls to the Shelter API. The included README, SKILL.md, and data model reference consistently describe the same API and features.
Instruction Scope
SKILL.md instructs the agent to call specific Shelter endpoints with the X-Shelter-Key header and summarizes expected JSON fields — this stays within the stated purpose. One minor discrepancy: examples reference an optional SHELTER_API_URL environment variable (with a default), but that variable is not declared in requires.env; the default mitigates the risk, but the docs ask users to "confirm they're set" which could be clearer.
Install Mechanism
There is no remote download or package installation performed by the skill at runtime. The package contains a small install-skill.js that copies SKILL.md and the references directory into ~/.claude/skills (or a project-level path). This is typical for instruction-only skills; no external URLs, archives, or executables are fetched or executed beyond the local postinstall script.
Credentials
Only one credential is required (SHELTER_API_KEY) which is proportional to a hosted API integration. No unrelated secrets or broad system credentials are requested. Note: SKILL.md mentions an optional SHELTER_API_URL env var that isn't listed in the declared requirements.
Persistence & Privilege
always is false (normal). The install script writes skill files into the user's ~/.claude/skills directory, and uninstall removes them; it does not modify other skills or system-wide agent settings. The skill does not request elevated privileges or permanent forced inclusion.
Assessment
This skill appears to be what it says: a read-only Shelter integration. Before installing: (1) Verify you trust the provider (shelter.money) and the package source (repository/homepage) since the package will copy files into ~/.claude/skills via postinstall. (2) Create a scoped API key in Shelter with the minimum permissions needed and set it as SHELTER_API_KEY in your environment; avoid embedding long-lived keys in code. (3) Be aware SKILL.md references SHELTER_API_URL (with a default) but doesn't declare it as required — if you use a non-default endpoint, set that env var explicitly. (4) Review or audit the install/uninstall scripts if you have stricter security needs; they only copy and remove files, but it's good practice to inspect any local postinstall behavior. (5) If you require higher assurance, test with a limited or read-only key and monitor Shelter's audit logs and your account for unexpected calls. If anything about the homepage, repository, or ownership looks unfamiliar, do not install and ask the provider for additional verification.Like a lobster shell, security has layers — review code before you run it.
latestvk97b9qcny2cxht7f957v0cspbn81nfnf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡 Clawdis
Binscurl
EnvSHELTER_API_KEY
Primary envSHELTER_API_KEY