Payments & Banking
WarnAudited by ClawScan on May 10, 2026.
Overview
Review before use: this skill can direct an agent to perform banking actions that move money, but its credential and approval boundaries are not clearly defined.
Treat this as a high-risk financial integration. Only use it with a verified AIOT payment endpoint, do not let an agent complete transfers or remittances without your explicit confirmation, and never provide banking credentials or transaction PINs unless you understand exactly how they are handled.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a real authenticated account, an agent could initiate or confirm financial transactions or change recipient records.
The skill exposes API operations that can move money internationally and mutate saved banking recipients. These are purpose-aligned but high-impact, and the visible instructions do not clearly bound final execution with explicit human approval, amount limits, recipient verification, or rollback guidance.
`initiate_transfer` — Start a money transfer ... `confirm_transfer` — Confirm a pending transfer ... `initiate_remittance` ... `confirm_remittance` ... `delete_recipient`
Use only with explicit user confirmation at both quote and final confirmation steps, verify recipient and amount out-of-band, and avoid allowing autonomous invocation for final money-moving actions.
Users may not know what credentials the skill expects or how a transaction PIN will be handled before account-changing actions occur.
The skill requires sensitive banking authentication and transaction PIN use, but the registry requirements only identify `AIOT_API_BASE_URL` as the primary credential and do not define how auth tokens or PINs are scoped, provided, protected, or prevented from reuse.
All financial operations require authentication ... Transfer, remittance, and conversion confirmations require a transaction PIN
Declare the exact authentication mechanism and scopes, require a fresh PIN only at the provider-controlled confirmation step, do not store PINs, and prefer limited or transaction-specific credentials.
A user may connect financial workflows to a provider they cannot independently verify from the supplied artifacts.
For a banking and payments skill, the lack of a verifiable source or homepage is a provenance gap that makes it harder for users to confirm the API provider and intended trust boundary.
Source: unknown; Homepage: none
Install only if you can verify the provider and API base URL through trusted documentation, and avoid using real banking credentials with unverified endpoints.