Klutch
v0.3.0OpenClaw skill for Klutch programmable credit card API integration. View cards, transactions, spending categories, and analyze spending patterns.
⭐ 1· 1.7k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Klutch credit-card API integration) align with the included Python scripts, which implement GraphQL calls for cards, transactions, categories, and basic config management. The optional environment variables listed in SKILL.md (KLUTCH_CLIENT_ID, KLUTCH_SECRET_KEY, KLUTCH_API_KEY, KLUTCH_API_SECRET, KLUTCH_1PASSWORD_ITEM) match the auth code paths.
Instruction Scope
Runtime instructions restrict activity to contacting Klutch GraphQL endpoints, caching a session token under ~/.config/klutch/, and optionally reading credentials via the 1Password CLI. However, README/SKILL.md include 'hypothetical agent use cases' (e.g., 'Create a virtual card for a sub-agent', 'lock to merchant') that are not implemented in the provided scripts — documentation overreach rather than hidden functionality. The code does not attempt to read unrelated system files or exfiltrate data to non-Klutch endpoints.
Install Mechanism
Install uses pip (requirements.txt) with two small, common dependencies (requests, click). No downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill requests only Klutch-related credentials (client id/secret or API key/secret) and an optional KLUTCH_1PASSWORD_ITEM for op CLI retrieval — these are proportional. Two small remarks: (1) the registry metadata shows no required env vars while SKILL.md documents optional env vars (this is minor and not a security problem), and (2) the 1Password lookup in auth.py hardcodes the op URI prefix 'op://Clawd/{item}/...' which could be surprising if users keep credentials in a differently named vault.
Persistence & Privilege
The skill caches a JWT session token and a config file under ~/.config/klutch/ (token.json and config.json) with file permissions set to 0600 — expected behavior for this kind of CLI integration. The skill is not set to always:true and does not modify other skills or global agent settings.
Assessment
This package appears to be a straightforward Klutch API client, but before installing consider: 1) The skill source is 'unknown' — only install if you trust the publisher or review the code yourself. 2) Provide only Klutch API credentials (client id/secret or API key/secret). The code will cache a session token at ~/.config/klutch/token.json — review or remove that file if you revoke access. 3) If you plan to use 1Password integration, ensure the 'op' CLI is installed and that your vault/item names match the code's expectations (the code uses the 'Clawd' vault prefix). 4) Do not assume advanced agent capabilities claimed in README (creating virtual cards, merchant locking, autonomous sub-agent billing) are implemented — those are hypothetical prompts and are not present in the provided scripts. 5) If you need higher assurance, run the scripts locally and inspect network calls (or grep for unexpected hosts) before granting credentials.Like a lobster shell, security has layers — review code before you run it.
automationvk974y8hg2h0b2qm38c1mrwewj980ge3ecredit-cardsvk974y8hg2h0b2qm38c1mrwewj980ge3efinancevk974y8hg2h0b2qm38c1mrwewj980ge3elatestvk974y8hg2h0b2qm38c1mrwewj980ge3e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💳 Clawdis