Back to skill
Skillv0.1.15
ClawScan security
Bank Transactions Connector - Europe (PSD2) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 10:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required credential, and network endpoints are consistent with a PSD2/OpenBanking connector and do not request unrelated access.
- Guidance
- This skill appears to do what it says: it needs a FiBuKI API key to call fibuki.com endpoints and will store that key in your OpenClaw agent config. Before installing, verify you trust fibuki.com (review their privacy/security policies), understand the scope of the API key (what access it grants to bank transactions), and ensure you can revoke or rotate the key if needed. Only paste keys that you created on the official fibuki.com site, and confirm HTTPS endpoints (the SKILL.md points to fibuki.com/api/* and an OpenAPI spec).
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirement (FIBUKI_API_KEY) and the SKILL.md describes calls to fibuki.com APIs for listing accounts, transactions, uploads, and matching—all coherent with a bank connector.
- Instruction Scope
- okRuntime instructions are limited to checking/asking for FIBUKI_API_KEY, directing calls to fibuki.com endpoints, and using the platform's config to store the API key. There are no instructions to read unrelated files, scan system state, or contact other third-party endpoints.
- Install Mechanism
- okNo install spec or archive downloads—instruction-only skill (lowest install risk). Nothing is written to disk by the skill itself beyond storing the API key in the agent config as described.
- Credentials
- okOnly one credential (FIBUKI_API_KEY) is required and declared as primaryEnv, which is appropriate for a third-party API connector. No unrelated secrets or system paths are requested.
- Persistence & Privilege
- noteSkill asks the user to store the API key in the OpenClaw/plugin config and restart the agent so the key loads—this is expected for API access but means the key will be persisted in agent configuration (user should be aware and able to revoke/rotate it).