Financy
WarnAudited by ClawScan on May 18, 2026.
Overview
Financy is a coherent finance-tracking API, but it can read, export, create, update, and delete personal financial records without a clearly declared authentication or approval boundary.
Review this skill carefully before installing. It appears purpose-aligned for personal finance tracking, but only use it with real financial data if you can verify authentication, user authorization, export-link protection, and confirmation requirements for delete or update actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could modify or remove finance records if it invokes the wrong endpoint or uses the wrong transaction ID.
The skill exposes tools that can change or delete personal financial records. The artifacts do not state that these actions require explicit user confirmation or provide rollback guidance.
POST /api/financy/transaction — Create or Update Transaction ... DELETE /api/financy/transaction/{transaction_id} — Removes a specific transaction from the user's account.Use only after confirming the exact user ID and transaction details; the skill should require explicit confirmation before create, update, delete, or export operations.
If the backend relies only on a numeric user ID, financial data could be accessed, exported, changed, or deleted without a clear account-level permission check.
The declared credential contract shows no authentication requirement, despite the API operating on user financial records. Combined with userId-based requests in the OpenAPI contract, the authorization boundary is unclear.
Required env vars: none; Env var declarations: none; Primary credential: none
Verify that the API enforces real authentication and per-user authorization before using it with real financial data.
Exported transaction data may be more easily shared or exposed if the generated download link is not properly protected.
The export flow produces an externally hosted CSV URL for transaction data, but the artifacts do not describe access controls, expiry, retention, or whether the link is protected.
"format": "csv", "download_url": "https://api.toolweb.in/tools/financy/exports/exp_12345.csv", "record_count": 42
Avoid exporting sensitive financial records until the provider documents protected downloads, expiration, and data-retention behavior.
Users have less external information to verify who operates the service or how it handles financial data.
The provider provenance is limited for a service that asks users to store and export sensitive financial information.
Source: unknown; Homepage: none
Confirm the publisher and service documentation before entering real financial records.