Shelter
PassAudited by ClawScan on May 1, 2026.
Overview
Shelter appears to be a transparent read-only financial-data integration, but installing it lets an agent use your Shelter API key to view sensitive financial insights.
Install only if you are comfortable letting your agent retrieve read-only Shelter financial insights. Use a scoped API key, keep it out of logs and shared terminals, verify the API URL and npm package source if installing manually, and revoke the key when you no longer need the integration.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing this should understand that the agent can use the API key to retrieve financial health, cash-flow, and coaching data from Shelter.
The skill requires a Shelter API key and tells the agent to attach it to API calls. This is expected for the service, but it grants access to sensitive financial insights.
Every request needs two things: - **Header**: `X-Shelter-Key: $SHELTER_API_KEY`
Use a scoped Shelter API key, store it securely, review what scopes it grants, and revoke it from Shelter settings if no longer needed.
If the API URL environment variable is changed to an unintended host, the Shelter API key could be sent there.
The skill uses curl to call Shelter endpoints and supports an overrideable base URL. This is purpose-aligned, but users should ensure SHELTER_API_URL points only to the intended Shelter API before sending the key.
curl -s -H "X-Shelter-Key: $SHELTER_API_KEY" \
"${SHELTER_API_URL:-https://api.shelter.money/agent}/v1/status"Leave SHELTER_API_URL unset unless you intentionally use a trusted Shelter endpoint, and verify environment variables before use.
Installing via npm can automatically modify the local Claude skill directory.
The npm package runs local lifecycle scripts that install or remove the skill files. The included scripts are simple file-copy/removal operations, but npm lifecycle execution is still something users should notice.
"scripts": {
"postinstall": "node install-skill.js",
"preuninstall": "node uninstall-skill.js"
}Prefer the reviewed ClawHub install path when possible, or inspect the package and scripts before installing via npm.
A user following the README may install a different npm package than the one represented by the included package manifest.
The README's npm install command does not match the package name shown in package.json, which is `@shelter.money/agent-skill`. This creates minor provenance ambiguity for users choosing npm installation.
npm install -g @shelter/agent-skill
Verify the exact npm package name, publisher, and repository before installing outside ClawHub.