EnvelopeBudget
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it gives the agent broad API-key access to read, create, update, and delete financial budget records without clear confirmation or scope limits.
Install only if you are comfortable giving the agent API-key access to your EnvelopeBudget financial records. Before allowing write operations, ask the agent to show the exact API call and require confirmation for changes, deletes, transfers, reconciliations, merges, archives, and bulk actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change or delete budget records, transactions, envelopes, categories, or payees if prompted or if it misinterprets a request.
The skill documents write, delete, and bulk mutation endpoints for financial budgeting records, but the artifacts do not include confirmation, scoping, or rollback guidance for these high-impact actions.
DELETE | /api/transactions/{budget_id}/{transaction_id} | Delete ... POST | /api/transactions/{budget_id}/bulk | Create multiple ... DELETE | /api/envelopes/{budget_id}/{envelope_id} | DeleteRequire explicit user confirmation for all POST, PUT, PATCH, DELETE, transfer, reconcile, merge, archive, and bulk operations, and show the exact budget, account, amount, and record IDs before executing.
Anyone or any agent session with access to this environment variable can use the helper to read or modify the connected EnvelopeBudget account data.
The helper uses an EnvelopeBudget API key to authenticate requests. This is expected for the service, but the key grants access to sensitive financial data and mutation authority.
-H "X-API-Key: ${ENVELOPE_BUDGET_API_KEY}"Use a least-privilege API key if EnvelopeBudget supports it, keep it out of shared environments, rotate it if exposed, and avoid granting the skill access unless you want the agent to manage this budget.
A user relying only on the registry summary may not realize the skill needs local command-line tools and an API key before it can operate.
SKILL.md declares runtime dependencies and a required credential, while the supplied registry requirements list no required binaries, env vars, or primary credential. This can under-inform users during install review.
"primaryEnv":"ENVELOPE_BUDGET_API_KEY","requires":{"bins":["curl","python3"],"env":["ENVELOPE_BUDGET_API_KEY"]}Update the registry metadata so required binaries and the EnvelopeBudget API key are declared consistently with SKILL.md.