Spend Pulse
ReviewAudited by ClawScan on May 10, 2026.
Overview
Spend Pulse matches its budget-alert purpose, but it asks users to install an external CLI and give it Plaid/real-bank access, so it should be reviewed before granting access.
Before installing, confirm that the npm package or GitHub repository is the intended Spend Pulse project and inspect the code if possible. Use Plaid Sandbox first, link only necessary accounts, and be careful with generated charts or alert messages because they can reveal spending details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the npm package or GitHub source is wrong, compromised, or different from what the user expects, it could run local code under the user's account while handling financial credentials and transaction data.
The skill depends on external code that is not present in the submitted artifact set or install spec. Because that external CLI is later expected to receive Plaid credentials and financial transaction data, the provenance gap is materially important.
npm install -g spend-pulse ... git clone https://github.com/jbornhorst1524/spend-pulse.git ... npm install && npm run build && npm link
Verify the npm package and GitHub repository owner, inspect or pin the code before installing, prefer Sandbox mode first, and avoid granting real Plaid access until the CLI source and version are trusted.
Installing and setting up the skill may expose linked-account transaction history to the CLI and any local storage it uses.
Plaid API credentials and real bank authorization are expected for this spending-alert purpose, but they grant access to sensitive account and transaction information.
Prompt for Plaid API credentials ... choose Sandbox (test data) or Development (real bank) mode ... Open browser for Plaid Link bank authentication
Start in Plaid Sandbox, link only the accounts needed for spending alerts, verify what permissions Plaid requests, and revoke the Plaid item or credentials if you stop using the skill.
Spending charts, merchant names, amounts, and budget status could remain on disk or be included in messages where others might see them.
The skill creates local chart files and instructs the agent to attach them to spending updates. Those files and messages may contain sensitive financial context.
spend-pulse chart # Writes to ~/.spend-pulse/chart.png ... Always attach the chart image when available
Treat generated charts and YAML output as sensitive, review attachments before sending them, choose safe output paths, and delete local Spend Pulse files when no longer needed.