Monzo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Monzo banking skill is mostly transparent and purpose-aligned, but it gives an agent persistent bank access and can change account state without a built-in confirmation gate in the provided scripts.
Before installing, decide whether you want an agent to have ongoing Monzo API access. Use read-only commands by default, require manual confirmation for any pot movement, receipt deletion, transaction annotation, or webhook change, keep the encryption password out of shared files, and revoke the Monzo OAuth connection if you no longer need it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or is prompted into using the mutation commands, it could change where your money is held in Monzo and affect your available balance.
The provided script can move money between a Monzo account and pots after parsing command arguments; no explicit confirmation prompt or amount cap is shown in this script before the API mutation.
response=$(monzo_api_call PUT "/pots/$POT_ID/deposit" ... -d "amount=$AMOUNT" ...) response=$(monzo_api_call PUT "/pots/$POT_ID/withdraw" ... -d "amount=$AMOUNT" ...)
Require explicit user confirmation for every pot deposit/withdrawal and other account-changing operation, including the exact account, pot, amount, and direction before execution.
Someone who gains access to the encrypted file and password, or to your running user environment, may be able to access your Monzo account through the API.
The skill persists delegated Monzo credentials, including refresh tokens, which is expected for this integration but gives ongoing account access if the local environment or encryption password is compromised.
The following are stored in the encrypted credentials file: - OAuth Client ID and Client Secret - Access Token and Refresh Token - Default Account ID
Use a strong unique MONZO_KEYRING_PASSWORD, restrict file permissions, avoid shared machines, and revoke the OAuth client in Monzo if you stop using the skill or suspect compromise.
A webhook pointed at the wrong endpoint could expose future transaction notifications outside your control.
The skill can register persistent transaction webhooks to an external URL. The README warns about attacker-controlled endpoints, and the script requires HTTPS, so this is disclosed but still sensitive.
scripts/webhooks.sh create https://your-server.com/webhook > Webhook safety: Only point webhooks at endpoints you control. An attacker-controlled webhook would receive your transaction notifications.
Only create webhooks to servers you own, review existing webhooks regularly, and delete any webhook you do not recognize.
You have less external information to verify who maintains the banking integration or how updates are reviewed.
For a skill that handles banking credentials and account actions, the lack of a public source or homepage makes publisher provenance harder for users to verify, even though the included artifacts do not show hidden install behavior.
Source: unknown Homepage: none
Install only if you trust the publisher and have reviewed the included scripts; prefer a version with a verifiable repository or maintainer identity.