Splitwise
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it will use a long-lived Splitwise token to create real expense records through Splitwise’s API.
Install this only if you are comfortable letting your agent create Splitwise expenses with your API token. Keep the token secure and check expense details before submission.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses the wrong amount, user ID, or group, it could add an incorrect shared expense to Splitwise.
The skill can submit real Splitwise expense records. This is expected for the stated purpose, but it is still a mutating account action.
`https://secure.splitwise.com/api/v3.0/create_expense` | Create a new expense | Cost, description, user IDs, shares, and group ID.
Before allowing the agent to submit an expense, verify the amount, description, payer, other participant, and group; consider requiring an explicit confirmation step for each expense.
Anyone who obtains the token may be able to act on the connected Splitwise account according to that token’s permissions.
The skill requires a long-lived account token and uses it for authenticated Splitwise API calls. This is disclosed and purpose-aligned, with no evidence of sending it elsewhere.
`SPLITWISE_API_KEY`: A Long-lived User Token ... `SPLITWISE_API_KEY` is sent in the `Authorization` header to Splitwise.
Store the token securely, rotate it if exposed, and use the least-privileged Splitwise token option available.