Monzo
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: monzo Version: 1.0.2 The OpenClaw Monzo skill is well-documented and transparent, adhering to good security practices. Credentials are encrypted at rest using AES-256-CBC with PBKDF2, and the setup process includes OAuth state validation to prevent CSRF. The documentation (`SKILL.md`, `README.md`, `SECURITY.md`) explicitly details the threat model, warns about the `MONZO_KEYRING_PASSWORD` being visible in process environments on multi-user systems, and advises caution with webhook URLs. All code aligns with the stated purpose of Monzo banking operations, without any evidence of intentional data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or is prompted ambiguously, it could move money between your current account and pots without a second review step.
The script directly changes Monzo pot balances using a supplied amount. The provided pot script does not show a confirmation prompt, dry-run, or amount limit before making the banking API call.
response=$(monzo_api_call PUT "/pots/$POT_ID/deposit" ... -d "amount=$AMOUNT" ...) response=$(monzo_api_call PUT "/pots/$POT_ID/withdraw" ... -d "amount=$AMOUNT" ...)
Require explicit confirmation that repeats the exact account, pot, direction, and amount before any deposit or withdrawal. Consider a read-only default mode or an allowlist for write operations.
Anyone who can access the encrypted file and the keyring password may be able to use your Monzo API connection.
The skill stores persistent delegated Monzo credentials. This is expected for the integration and is documented as encrypted, but it grants ongoing banking account access if the local password or machine is compromised.
The following are stored in the encrypted credentials file: - OAuth Client ID and Client Secret - Access Token and Refresh Token - Default Account ID
Use a strong unique MONZO_KEYRING_PASSWORD, keep config files private, run only on a trusted machine, and revoke the connected app in Monzo if you stop using the skill.
A webhook pointed at the wrong endpoint could send transaction notifications to someone else.
The webhook feature can create a persistent external data flow containing transaction notifications. The risk is disclosed and HTTPS is required, but endpoint ownership cannot be verified by the skill.
Webhooks — Register and manage real-time transaction webhooks ... Only point webhooks at endpoints you control. An attacker-controlled webhook would receive your transaction notifications.
Only create webhooks for endpoints you control, confirm the URL carefully before registration, and periodically list/delete old webhooks.
You have less external provenance to rely on when deciding whether to trust this banking integration.
The skill has a provenance gap. That is especially important because it handles banking credentials and account access, even though the provided code is visible and the static scan was clean.
Source: unknown Homepage: none
Review the included scripts before use and prefer installing banking-related skills from maintainers and repositories you can verify.