Skillv1.0.0

ClawScan security

openfin-enable-banking · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 10:34 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions generally match the stated purpose (Enable Banking integration) but there are mismatches between what the package declares and what it actually requires/runs (notably an undeclared dependency on the openssl binary, local config/private key files, and a callback HTTP(S) server that binds network interfaces).
Guidance: This package implements a legitimate-looking Enable Banking integration, but review and prepare before installing: 1) Provide a config.json with 'applicationId' and 'keyPath' (the private key file must exist and be kept secret). 2) Install Python dependencies (PyJWT, cryptography, requests) and ensure the system 'openssl' binary is available — the callback server uses openssl via subprocess to generate certs but the skill metadata does not declare that dependency. 3) The callback server listens on network interfaces (default 0.0.0.0:8443) and will write files to .keys/, mandanten/, data/, and pending_callbacks/ in the skill directory; run this in an isolated environment and review permissions. 4) The onboarding flow prints an authorization URL to stdout that your agent/operator is expected to forward externally — ensure the channel used to forward it is secure and avoid leaking auth codes. 5) Verify the API base (api.enablebanking.com) and that you intend to register an application with Enable Banking; do not use production private keys with untrusted or third-party code. If you want to proceed, update the skill metadata or documentation to declare the openssl dependency and the file-based config/key requirements, and run the code in a sandbox or VM first.

Review Dimensions

Purpose & Capability: noteName/description align with the provided code: the scripts implement onboarding, session renewal, and fetching via the Enable Banking API. Requiring a private key (for JWT) and a config.json file is reasonable for this purpose. However, metadata declares no required binaries or credentials while the code expects on-disk credentials (config.json and a private key referenced by keyPath) and Python dependencies.
Instruction Scope: concernSKILL.md and the scripts instruct the agent/operator to run local Python scripts and to start a callback server that listens on 0.0.0.0:8443 (HTTPS by default). The callback server auto-generates certs by invoking the system 'openssl' binary via subprocess; this subprocess use and network binding are not declared in the registry metadata. The onboarding flow prints an authorization URL to stdout for the agent to forward externally (WhatsApp/email), which is expected for OAuth but requires the agent to handle potentially sensitive URLs. The scripts also read and write local files (config.json, private key, mandanten/, data/, pending_callbacks/) — all expected but worth noting.
Install Mechanism: okThere is no remote install step or downloads; code is bundled with the skill and a requirements.txt lists Python libs (PyJWT, cryptography, requests). No external archives or unknown URLs are fetched during install. This reduces install-time risk.
Credentials: noteThe skill does not declare required env vars or credentials, but it requires a config.json containing 'applicationId' and 'keyPath' and expects a private key file on disk. Those file-based credentials are proportionate to generating JWTs for the Enable Banking API. Still, the registry metadata should have documented these required files/binaries (and the need for openssl) so users know what secrets and system tools are necessary.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It writes files only under its own directory structure (mandanten/, data/, pending_callbacks/, .keys/) and does not modify other skills or global agent configs. It does open a network listener (callback server) that binds to 0.0.0.0 which increases exposure but is within the stated OAuth callback purpose.