Spend Pulse
v0.1.2Proactive spending alerts via Plaid. Track credit card spending against a monthly budget with pace-based alerts.
⭐ 2· 1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Plaid-integrated spending-alert CLI (setup, sync, check, charts) which aligns with the skill name and description. However, registry metadata lists the source/homepage as unknown while the instructions reference an npm package and a specific GitHub repo (github.com/jbornhorst1524/spend-pulse). That mismatch (metadata vs README) reduces confidence in provenance.
Instruction Scope
Instructions are focused on the stated purpose (Plaid API keys, Plaid Link flow, syncing transactions, generating charts) and don't ask to read unrelated system files. They do recommend storing API credentials in the macOS Keychain and write files under ~/.spend-pulse (chart output), which is expected for a CLI but is OS-specific and does involve persistent credential storage and filesystem writes.
Install Mechanism
There is no install spec in the skill bundle — SKILL.md instructs users to run `npm install -g spend-pulse` or `git clone` from a GitHub repo. That means installing arbitrary third-party code from npm/GitHub is required for full functionality; the platform will not install audited code itself. Installing external packages carries standard supply-chain risks (malicious or vulnerable code). The referenced GitHub repo is a known host (better than an IP or pastebin) but the skill metadata does not prove the repo/package are official.
Credentials
The skill does not require unrelated credentials; it legitimately needs Plaid API credentials and bank authorization via Plaid Link. Those credentials will be collected interactively and stored in macOS Keychain per the instructions (instead of environment variables). This is proportional to the stated purpose, but the keychain approach is platform-specific and not declared in metadata (no OS restriction).
Persistence & Privilege
The skill does not request always-on inclusion and no special platform privileges are declared. The default ability for the agent to invoke the skill autonomously is allowed; given the skill can access financial data once credentials are supplied, allow autonomous use only if you trust the installed CLI and its source.
What to consider before installing
This skill appears to implement a Plaid-based spending-alert CLI, but it does not include code in the bundle and asks you to install an external npm package or clone a GitHub repo. Before installing or handing it Plaid credentials: 1) Verify the npm package and GitHub repo (owner, stars, recent commits, package versions, publisher identity). 2) Inspect the package source code (or ask for an audited release) to confirm it only uses Plaid and writes config under ~/.spend-pulse and the macOS Keychain as claimed. 3) Confirm you are comfortable installing third‑party npm packages (they can run arbitrary code at install/run time). 4) Note the instructions target macOS Keychain — ensure this matches your OS or that the tool provides a secure alternative. 5) If you allow the agent to invoke the skill autonomously, remember it could run the CLI and access stored financial data; only enable autonomous use if you trust the package source. If you want higher assurance, request a skill bundle that includes audited code or a clear install spec from a verified release (GitHub release or npm package with known publisher) and explicit metadata linking the registry entry to the repository.Like a lobster shell, security has layers — review code before you run it.
latestvk97741b8zbrabfbecb8kbd0fj180v6c8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.