Nummo
WarnAudited by ClawScan on May 10, 2026.
Overview
Nummo’s bank-data purpose is clear, but it depends on an unreviewed remote CLI installer and gives access to detailed financial history with unclear credential/session boundaries.
Review this carefully before installing. Verify the Nummo installer source, understand how Plaid and Nummo sessions are stored and revoked, and only approve narrowly scoped account or transaction queries that you actually want the agent to run.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected, the agent/CLI could retrieve granular bank transaction details, potentially including all available history, under the active Nummo session.
This shows the skill uses an authenticated session and can retrieve broad financial transaction history. The artifacts do not clearly bound where the session is stored, how Plaid access is scoped, or how users revoke that access.
`nummo auth status` ... shows their email and session expiry ... `nummo accounts txs ... [--all]` ... Use `--all` to fetch all available history.
Only connect accounts you intend to analyze, approve each financial-data command explicitly, avoid `--all` unless needed, and verify Nummo’s session storage and Plaid revocation process before use.
Installing this way executes remote code on the user’s machine before the reviewer can verify what it does, which is especially important for a tool that will access financial accounts.
The installation guidance pipes a remote script directly to a shell, while no CLI source code, checksum, signature, or pinned release is included in the reviewed artifacts.
curl -fsSL https://nummo.ai/install | sh
Inspect the installer before running it, prefer a signed or checksum-pinned release, and install only from a trusted Nummo source.