ClawHub

Manage PocketSmith transactions, categories, budgets and financial data

vv1.0.0

Manage PocketSmith transactions, categories, and financial data via the API

1· 1.3k·2 current·2 all-time
by@lextoumbourou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, README, IMPLEMENTATION_NOTES and source files consistently implement a PocketSmith CLI using the PocketSmith API (base URL https://api.pocketsmith.com/v2). The only required env var is POCKETSMITH_DEVELOPER_KEY which matches the stated auth method.
Instruction Scope
Runtime instructions and CLI commands only reference the PocketSmith API and local CLI invocation. They do not instruct reading unrelated system files, scanning other credentials, or transmitting data to third‑party endpoints. Write operations require an explicit POCKETSMITH_ALLOW_WRITES=true opt‑in.
Install Mechanism
No registry install spec is present; repository contains a normal pyproject.toml (httpx dependency) and standard CLI entrypoint. There are no downloads from arbitrary URLs, no extract-from-unknown-host steps, and no obfuscated install actions.
Credentials
Only POCKETSMITH_DEVELOPER_KEY is required and POCKETSMITH_ALLOW_WRITES is an optional safety flag. No unrelated secrets or multiple service credentials are requested. The code reads exactly these env vars.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or global agent config, and only performs API calls. Autonomous invocation is allowed by platform default but the skill itself does not grant elevated persistent privileges.
Assessment
This skill appears to do exactly what it says: a CLI for the PocketSmith API. Before installing, consider: (1) the developer key gives access to your PocketSmith account — only install if you trust the skill and source; (2) write operations are disabled by default — only set POCKETSMITH_ALLOW_WRITES=true when you intend to perform adds/edits/deletes; (3) the package depends on httpx and will make network calls to api.pocketsmith.com (expected); (4) if you want additional assurance, review the GitHub repo referenced in the README yourself, or create a scoped developer key in PocketSmith for use with this skill and store it securely in your environment. No evidence of hidden endpoints, unrelated credential requests, or filesystem exfiltration was found.

Like a lobster shell, security has layers — review code before you run it.

latestvk978sg6pvv90sphyvm852ftpw980kv1a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvPOCKETSMITH_DEVELOPER_KEY

Comments