Pane
PassAudited by ClawScan on May 1, 2026.
Overview
Pane is a disclosed personal-finance MCP integration, but installing it gives the agent access to highly sensitive financial data and persistent finance notes through your Pane API key.
Before installing, make sure you trust Pane, the hosted MCP endpoint, and mcporter with your financial data. Keep PANE_API_KEY in an environment variable, do not paste it into chats, use Pane privacy scopes, and explicitly control when the agent writes or deletes persistent annotations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and given a valid API key, the agent can retrieve detailed personal financial information from Pane.
The skill grants broad delegated access to a user's linked financial accounts. This matches the stated purpose, but it is highly sensitive authority.
Access a user's linked financial accounts via Pane... Query bank accounts, transactions, balances, spending summaries, recurring payments, investments, liabilities, and crypto holdings.
Install only if you trust Pane and the agent with this data; use Pane privacy scopes where possible and revoke or rotate the API key when no longer needed.
Incorrect or overly sensitive annotations could be surfaced again in later financial analysis.
The skill can store finance-related context that is reused across conversations and future tool results. This is disclosed and purpose-aligned, but persistent notes can affect later agent reasoning.
Annotations are persistent notes attached to transactions, merchants, accounts, or the user's profile. They appear in future tool results automatically.
Ask the agent to write annotations only when you intend it, review saved annotations periodically, and delete inaccurate or unnecessary notes.
Your agent's finance queries and the Pane API credential are used through the hosted MCP connection.
The integration sends bearer-authenticated MCP traffic to Pane's hosted server. This is central to the skill's purpose, but it creates an external service boundary for sensitive finance data.
mcporter config add pane --url https://mcp.pane.money --header "Authorization: Bearer $PANE_API_KEY"
Verify the Pane domain before configuring it, keep the API key out of chat transcripts and logs, and remove the mcporter configuration if you stop using the skill.
Using Pane also means relying on mcporter to handle MCP calls and the configured authorization header.
The skill is instruction-only and relies on a separate mcporter skill/binary to reach the MCP server. That dependency is expected for the stated purpose but should be trusted separately.
"install":[{"id":"mcporter","kind":"skill","skill":"steipete/mcporter","label":"Install mcporter skill"}]Install mcporter from a trusted source and keep it updated; avoid using this skill if you do not trust that dependency.