ClawHub

Monarch Money

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Monarch Money integration, but it handles very sensitive financial credentials and exposes broad account-changing powers with some weak safeguards.

Review this before installing because it can log in to Monarch Money with your password and MFA seed, read sensitive financial data, save reusable session tokens locally, and modify or delete financial records. Use a dedicated environment, avoid passing secrets on the command line, keep debug logging off, clear ~/.mm/session.json when done, and only use mutating commands when you have verified the exact transaction, category, account, or rule being changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI exposes transaction creation and deletion capabilities that exceed the stated skill description of searching, categorizing, and budget-management assistance. This scope expansion increases the blast radius from read/update operations to destructive and state-changing actions, which can enable accidental or unauthorized financial record manipulation if an agent or user invokes these commands under assumptions set by the manifest.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill manifest describes transaction, categorization, and budget-management use cases, but this file adds access to broader sensitive domains including credit score, net worth history, notifications, and subscription details. That mismatch expands the reachable data surface beyond user expectations and can lead to over-collection or misuse of highly sensitive financial data if the agent invokes these methods without explicit, informed user consent.

Context-Inappropriate Capability

High
Confidence
80% confidence
Finding
deleteAllTransactionRules enables account-wide destructive policy removal in a single call, which is more sensitive than routine transaction lookup or categorization. In an agent/CLI context, accidental invocation, prompt-induced misuse, or overbroad tool exposure could silently erase automation logic across the user's account and materially alter future transaction processing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code explicitly implements 'more human-like behavior' through timing controls that are unrelated to core budget-management functionality. In a finance client, deliberate request-humanization can indicate an attempt to evade platform bot detection or access controls, which increases security and compliance risk even if no direct exploit payload is present.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Adding randomized jitter specifically to make requests appear more human-like is not necessary for normal GraphQL client operation and can be used to disguise automation. In the context of a third-party financial service client, this makes the skill more suspicious because it may help bypass anti-automation monitoring or terms-of-service controls.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation explicitly exposes raw GraphQL query and mutation access through an internal client property, which can enable operations beyond the higher-level budget-management functions described for the skill. In an agent context, this increases the chance of overbroad data access or unintended writes to sensitive financial data because callers can construct arbitrary operations without guardrails, validation, or operation allowlisting.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header explicitly labels these tests as "READ-ONLY and safe for automated execution," but the file performs real authentication against the production Monarch API using live email, password, and MFA secret. That mismatch is dangerous because operators or automation may run the test suite assuming it is harmless, causing unintended use of sensitive credentials and outbound authentication to a third-party service.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation text is broad enough to match many generic finance-related requests, which can cause the skill to be selected in contexts where users did not intend to authorize access to banking-style data or account-modifying actions. In a financial skill that handles credentials and account data, overbroad routing materially increases the risk of unnecessary secret use and unintended operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill asks users to provide an account email, password, and especially a TOTP seed/MFA secret, which is a highly sensitive long-lived secret that can generate future login codes. Without strong warnings and handling guidance, users may store or expose these values insecurely, enabling account takeover and bypass of multi-factor protections.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation states that authentication sessions are cached to a predictable file on disk but does not warn users about the security implications. On shared or insufficiently secured systems, session files can be copied or reused by other local users or processes, granting access to financial data without re-entering credentials.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The login command accepts credentials via CLI flags and environment variables without warning users that command-line arguments may be exposed through shell history, process listings, or job control tools. In a finance-related CLI handling Monarch Money credentials and optional MFA secrets, this creates a realistic risk of local credential disclosure even though the code is not overtly malicious.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The command performs a live mutation of a user's financial transaction by calling the split-update API immediately after previewing data, but it does not require an explicit confirmation step or present a strong irreversible-action warning. In a budgeting CLI, accidental invocation, bad input JSON, or user misunderstanding can silently alter transaction categorization and receipt splits, creating integrity issues in financial records.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
These methods perform network requests for sensitive financial and credit-related information, but the code shows no mechanism for ensuring explicit user disclosure or consent before fetching that data. In an agent context, silent retrieval of net worth, credit score, notifications, and subscription information is dangerous because it may violate user expectations, privacy requirements, or principle-of-least-surprise even if the backend itself is authenticated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
deleteTransaction performs a destructive action immediately after ID validation, with no confirmation, preview, or built-in safety interlock in this layer. In an agent-driven workflow, this increases the chance of accidental or socially engineered deletion of financial records, especially when user intent may be ambiguous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
deleteAllTransactionRules is a bulk destructive operation with potentially large account-wide consequences, yet this code issues the mutation directly without any warning, preview, or confirmation guard. In a skill exposed to LLM agents, lack of friction materially raises the risk of prompt-manipulated or mistaken mass deletion of user automation rules.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
deleteTransactionCategory removes budgeting configuration without any explicit warning or confirmation mechanism in this layer. Because categories affect reporting and organization across many transactions, accidental deletion can cause broad user confusion and require substantial manual recovery.

Missing User Warnings

High
Confidence
98% confidence
Finding
This debug log emits the full authentication request body, which includes the user's email, password, and potentially a generated TOTP code when MFA is supplied. If debug logs are enabled, forwarded to centralized logging, or read by other local users/processes, these secrets can be exposed and reused to compromise the Monarch Money account.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The code persists an authentication token by default when saveSession is not explicitly disabled, but this file provides no visible safeguards around storage protection, user consent, or secure persistence semantics. In a finance-related skill, silently storing reusable session state increases the risk of local credential theft or account access if the host environment is shared, compromised, or improperly permissioned.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The example instructs users to source email, password, and MFA secret from environment variables without any warning about secret handling, logging, shell history exposure, or CI leakage. In a skill/agent ecosystem, such examples normalize unsafe credential practices and may lead operators to place long-lived financial credentials and MFA seeds in insecure environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation promotes persistent session storage at ~/.mm/session.json without clearly warning that authenticated financial access is being stored locally. Even if encrypted, local session persistence expands the attack surface through file theft, weak host security, backup leakage, or misuse by other local processes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The update and split examples show write operations against transaction records without warning that they alter financial data and may affect budgeting, categorization, and auditability. In an agent-driven workflow, omission of confirmation requirements or safety notes increases the risk of accidental or automated modification of user records.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The direct GraphQL mutation examples demonstrate arbitrary write capability against user financial data without warning about scope, approval, or potential destructive effects. In this skill context, unrestricted mutation patterns are especially dangerous because agents or integrators may invoke custom operations that bypass safer high-level APIs and modify sensitive records at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The troubleshooting guide instructs users to obtain and set the MFA seed secret, which is a long-lived credential equivalent to the second factor, but it does not explicitly warn users not to share, paste into logs, screenshots, shell history, or bug reports. In a troubleshooting context, users are more likely to copy diagnostic output or ask for help, so omission of secrecy guidance materially increases the chance of credential disclosure and account takeover.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This test reads sensitive credentials from environment variables and sends them to a remote API, yet the only guidance is a broad claim that the tests are safe. In a skill or agent context, that increases the chance that automated runners, users, or maintainers execute the test without understanding it uses real secrets, which can expose account access patterns or trigger unintended authentication activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal