EnvelopeBudget
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: envelopebudget Version: 1.2.0 The skill is a standard API integration for EnvelopeBudget.com, providing tools to manage financial data. It uses a simple bash wrapper (scripts/eb_api.sh) for curl commands and requires a user-provided API key, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change or delete budget records, transactions, envelopes, categories, or payees if prompted or if it misinterprets a request.
The skill documents write, delete, and bulk mutation endpoints for financial budgeting records, but the artifacts do not include confirmation, scoping, or rollback guidance for these high-impact actions.
DELETE | /api/transactions/{budget_id}/{transaction_id} | Delete ... POST | /api/transactions/{budget_id}/bulk | Create multiple ... DELETE | /api/envelopes/{budget_id}/{envelope_id} | DeleteRequire explicit user confirmation for all POST, PUT, PATCH, DELETE, transfer, reconcile, merge, archive, and bulk operations, and show the exact budget, account, amount, and record IDs before executing.
Anyone or any agent session with access to this environment variable can use the helper to read or modify the connected EnvelopeBudget account data.
The helper uses an EnvelopeBudget API key to authenticate requests. This is expected for the service, but the key grants access to sensitive financial data and mutation authority.
-H "X-API-Key: ${ENVELOPE_BUDGET_API_KEY}"Use a least-privilege API key if EnvelopeBudget supports it, keep it out of shared environments, rotate it if exposed, and avoid granting the skill access unless you want the agent to manage this budget.
A user relying only on the registry summary may not realize the skill needs local command-line tools and an API key before it can operate.
SKILL.md declares runtime dependencies and a required credential, while the supplied registry requirements list no required binaries, env vars, or primary credential. This can under-inform users during install review.
"primaryEnv":"ENVELOPE_BUDGET_API_KEY","requires":{"bins":["curl","python3"],"env":["ENVELOPE_BUDGET_API_KEY"]}Update the registry metadata so required binaries and the EnvelopeBudget API key are declared consistently with SKILL.md.