Monarch Money
v1.0.1TypeScript library and CLI for Monarch Money budget management. Search transactions by date/merchant/amount, update categories, list accounts and budgets, manage authentication. Use when user asks about Monarch Money transactions, wants to categorize spending, needs to find specific transactions, or wants to automate budget tasks.
⭐ 1· 2.1k·3 current·3 all-time
byDavid Asaf@davideasaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Monarch Money CLI & library) match the files and commands provided. The required environment variables (MONARCH_EMAIL, MONARCH_PASSWORD, MONARCH_MFA_SECRET) are exactly what a headless/automated client would need to log in and perform the described operations. The code targets api.monarch.com consistently (no unexpected remote endpoints).
Instruction Scope
SKILL.md + CLI code stay within the stated domain: listing/updating transactions, categories, accounts, and managing auth. The CLI reads and writes a local session at ~/.mm/session.json and a small cli-config at ~/.mm/cli-config.json (expected). Doctor/doctorCommand performs network connectivity checks to the declared API. Two items to be aware of: (1) documentation suggests disabling/re-enabling MFA to obtain the TOTP secret (this is an operational security risk / user action, not hidden code), and (2) the test command can run E2E tests (optionally write-capable) which will exercise the real API and may modify data if invoked with flags.
Install Mechanism
Install uses the packaged Node module (package: ".") and exposes a binary 'monarch-money'. No external arbitrary downloads, URL shorteners, or remote extract operations are present in the install metadata. This is a standard npm-style install of bundled code.
Credentials
The skill requests only authentication-related secrets (email, password, MFA TOTP secret). Those are sensitive but proportionate to a CLI that must authenticate and perform writes on the user's Monarch account. Users should understand the high sensitivity of MONARCH_MFA_SECRET (full TOTP secret) — providing it grants persistent ability to generate codes. No unrelated credentials or surplus environment variables are requested.
Persistence & Privilege
always:false (not force-included). The skill persists session state under ~/.mm which is appropriate for a CLI that reuses sessions. It does not request system-wide changes or modify other skills' configs. The package can be invoked by the agent autonomously per platform defaults, but that is not unique to this skill.
Assessment
This package appears coherent for a Monarch Money CLI, but it requires highly sensitive credentials (password + full TOTP/MFA secret). Before installing: (1) verify the source/maintainer since the registry 'Source: unknown' provides no upstream homepage; (2) review the bundled code yourself (or inspect the CaptchaAvoidanceService/CaptchaHandler files) if you are concerned about automation that attempts to circumvent interactive protections; (3) prefer using a throwaway or limited account if you must supply credentials/MFA secret for automation; (4) note that the tool stores session data in ~/.mm/session.json and saves an email to ~/.mm/cli-config.json — check file permissions and delete sessions when no longer needed; (5) be careful running the bundled tests or the 'test' command with write-enabled flags (--allow-writes or --all), as E2E write tests will modify real account data. If you need higher assurance, ask the publisher for provenance (homepage/repo) or run the CLI in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97cj3rhy2fejgkkec913wftqh7zx1w4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvMONARCH_EMAIL, MONARCH_PASSWORD, MONARCH_MFA_SECRET
Install
Install Monarch Money CLI
Bins: monarch-money
npm i -g .