ClawHub

Nova Net Worth

v1.3.1

Query your Nova Net Worth financial data — net worth, accounts, holdings, goals, spending, transactions, AI insights, and health score. Use when the user ask...

0· 425·0 current·0 all-time
byJesse Wunderlich@jessewunderlich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, README, and scripts all align: this is a Nova Net Worth API client that needs only NOVA_API_KEY. One minor inconsistency: the holdings endpoint in the script is mapped to '/api/holdings' (no '/api/v1/agent' prefix used elsewhere), which looks like a likely bug/typo rather than malicious behavior.
Instruction Scope
SKILL.md instructs the agent to run the included Node script and set NOVA_API_KEY. The script reads only NOVA_API_KEY (and an optional NOVA_API_URL) and issues HTTPS requests to the API base URL; it does not read other files, arbitrary env vars, or unrelated system paths.
Install Mechanism
There is no install spec (instruction-only skill) and the only code is an included Node script. No external archives or executables are downloaded by an installer step. Running the script will execute code locally and make network calls to the stated API host.
Credentials
Only NOVA_API_KEY (required) and optional NOVA_API_URL are used. That is proportionate for a client that queries a user's financial data. The script even validates the key has the expected 'nova_' prefix.
Persistence & Privilege
Skill is not always-enabled, does not request elevated or persistent system privileges, and does not modify other skills or global agent configuration.
Assessment
This skill appears to be what it claims: a client for the Nova Net Worth API that only needs your NOVA_API_KEY. Before installing, consider: (1) only provide a key you trust the service with — prefer a read-only or limited-scope key if Nova supports it; (2) confirm you trust app.novanetworth.com and its privacy/security posture because the script will send all financial queries there; (3) note the small inconsistency in the holdings endpoint path (may cause a command to fail) — treat it as a bug, not evidence of exfiltration; (4) do not paste your API key into public chat or logs; (5) if you want extra assurance, inspect the remainder of the script and test with an account that has minimal data/permissions. If you want, I can point out the exact lines that perform network requests and show what hosts will be contacted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978x4v0eayz6ggzr55e96nhfx8205fa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvNOVA_API_KEY

Comments