ClawHub

raiffeisen-elba

v1.4.4

Automate Raiffeisen ELBA online banking: login/logout, list accounts, and fetch transactions via Playwright.

0· 1.2k·2 current·2 all-time
byOliver Drobnik@odrobnik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: Python scripts that use Playwright to login, extract a bearer token, call internal ELBA JSON endpoints, list/download documents and transactions. Required binary (python3), Python deps (requests, playwright), and the config.json credential file are proportional to the stated purpose.
Instruction Scope
SKILL.md and code explicitly instruct creating a local config.json containing ELBA ID and 5-digit PIN, performing login that requires manual pushTAN approval, extracting bearer tokens from the browser context (local/session storage or by observing outgoing requests), caching that token locally, and recommending logout to delete session and cached token. All of these behaviors are necessary for the described browser-automation approach, but they are sensitive operations (token extraction and local credential storage) so the user should be aware and audit code before use. Minor inconsistency: setup docs say headless is default but scripts launch Playwright with headless=False (visible browser).
Install Mechanism
No custom install spec in the registry; the README/SETUP.md instructs using pip to install 'requests' and 'playwright' and to run 'playwright install chromium' which is the expected flow. There are no downloads from unknown personal servers in the skill itself. Playwright's browser installer will download browser binaries from upstream (expected).
Credentials
The skill requests no environment secrets and declares config.json as the required config path; this is proportionate. However, storing a 5-digit PIN in a local config file is sensitive — the skill documents strict file permissions and recommends 0600, and the code attempts to harden paths and set restrictive umask. Users should understand the risk of keeping credentials on disk and follow the recommended workflow (login → operations → logout).
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It persists per-user state only under the workspace 'raiffeisen-elba' (.pw-profile and token cache) and provides a logout command that deletes this state. It does not request system-wide privileges or modify other skills' configurations.
Assessment
This skill legitimately automates ELBA by controlling a browser and extracting a short-lived bearer token; that is why it needs your ELBA ID and PIN in a local config.json and why it inspects browser storage or outgoing requests. Before installing or running it: 1) Audit the code yourself or run it in an isolated/trusted environment (not on a shared or production machine). 2) Keep config.json permissions strict (chmod 600) as recommended and consider removing the PIN after use if you can. 3) Only run login operations when you can approve the pushTAN on your device; always run the provided logout command to delete .pw-profile/token cache. 4) Be aware Playwright will download browser binaries during setup (network activity). 5) If you are uncomfortable with local token extraction or storing credentials on disk, do not use this skill with real bank credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976sx2hrde9b6spqpncdgwc6h82tjx8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏦 Clawdis
Binspython3
Configconfig.json

Comments