Personal Finance Reconciler
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: financial-reconciler Version: 1.0.0 The skill is classified as suspicious due to potential vulnerabilities. The `SKILL.md` instructions for the AI agent to execute `python3 scripts/query.py "<natural language query>"` pose a prompt injection risk, as direct substitution of user input without proper shell escaping could lead to arbitrary command execution by the agent. Additionally, `scripts/categorize.py` allows users to add custom regex patterns via `add-rule`, which are then used in `re.search`, creating a Regular Expression Denial of Service (ReDoS) vulnerability. A minor Cross-Site Scripting (XSS) risk exists in `scripts/report.py` if malicious data from bank statements were to be embedded unsanitized into the generated HTML reports.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your transaction history, merchants, amounts, account labels, and memos may remain stored locally after import.
The skill persists detailed bank transaction data in a local SQLite database for future queries and reports.
CREATE TABLE IF NOT EXISTS transactions (... date TEXT NOT NULL, description TEXT NOT NULL, original_description TEXT, amount REAL NOT NULL, ... account TEXT, source_file TEXT, transaction_type TEXT, memo TEXT, imported_at TEXT DEFAULT (datetime('now')) ...);Use it on a trusted device, protect the local data directory, and delete or relocate the SQLite database if you no longer want the data retained.
Installing the skill may fetch current versions of external Python packages rather than fixed, reviewed versions.
The skill relies on third-party Python packages installed from pip without version pins; this is purpose-aligned but creates normal dependency supply-chain exposure.
"install": { "all": "pip install pandas ofxparse tabulate python-dateutil", "macos": "pip3 install pandas ofxparse tabulate python-dateutil", "linux": "pip3 install pandas ofxparse tabulate python-dateutil", "windows": "pip install pandas ofxparse tabulate python-dateutil" }Install in a trusted Python environment, consider pinning versions yourself, and review dependency provenance if you require stricter reproducibility.
Imported transactions may be categorized immediately using the skill's rules, which can affect later reports and budget status views.
The agent is instructed to run a local data-modifying categorization step automatically after import; this is disclosed and central to the finance-tracking workflow.
After a successful import, **always run categorization automatically** (step 2) without the user asking.
Review category summaries after import and adjust or recategorize rules if the automatic classifications are wrong.