ClawHub

Firefly III API Client

v1.0.5

Access and manage Firefly III finance data programmatically, including transactions, accounts, recurring rules, and automation via the API.

1· 25·0 current·0 all-time
by@josetseph
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, manifest, SKILL.md, and src/api.py all align: the skill implements a generic REST wrapper for Firefly III and requires FIREFLY_URL and FIREFLY_TOKEN. The declared capability (network.external) and the dependency on 'requests' are appropriate for this purpose. Minor metadata drift: manifest version (1.0.3) differs from registry version (1.0.5), which is a bookkeeping inconsistency but not a functional mismatch.
Instruction Scope
SKILL.md directs the agent to set FIREFLY_URL and FIREFLY_TOKEN, install requests, and run api.py with explicit commands. The runtime instructions do not ask the agent to read unrelated files, system secrets, or transmit data to endpoints other than the configured FIREFLY_URL. The included SECURITY.md correctly warns about token safety.
Install Mechanism
There is no automated install spec; the skill is instruction-only with an included Python script. Dependencies are modest (requests) and correctly declared in manifest. No external downloads or archive extraction are performed by the skill files.
Credentials
The only environment variables declared and used are FIREFLY_URL and FIREFLY_TOKEN, which are necessary and proportionate for an API client. The code only reads those two variables and uses them to form authenticated requests.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or alter other skills or system configs. It performs network calls only to the user-provided FIREFLY_URL when invoked.
Assessment
This skill appears to be what it claims: a simple Firefly III API client. Before installing, ensure you: (1) only set FIREFLY_URL to a Firefly III instance you control or trust, (2) keep FIREFLY_TOKEN private (treat it like a password), (3) review the included openapi YAML if you are concerned about any documented internal hosts (it contains a 'do not use' internal URL but the code will not contact it unless you set FIREFLY_URL to that host), and (4) run the script in a trusted environment since it will perform authenticated network requests to the URL you supply. Also note the manifest version mismatch (1.0.3 vs registry 1.0.5) — this is likely harmless metadata drift but you may want to confirm you have the intended release.

Like a lobster shell, security has layers — review code before you run it.

apivk97cnhpc9wr99yet8w9kqn40wh84b31vfinancevk9740f27d4bdm7g42kr3xgc2ax84b5yelatestvk97cnhpc9wr99yet8w9kqn40wh84b31vproductivityvk97cnhpc9wr99yet8w9kqn40wh84b31v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments