Back to skill

Security audit

Friday Budgeting Pro

Security checks across malware telemetry and agentic risk

Overview

This finance skill appears purpose-built, but it needs Review because it persistently runs locally, handles bank data and credentials, and can send detailed transaction data to external LLM providers.

Install only if you are comfortable with a persistent local finance daemon that can sync bank data, modify budgeting rules and ledgers, register itself with OpenClaw, and send transaction details to an LLM provider. Avoid pasting real Plaid secrets into chat unless you trust the full agent and provider path, disable or explicitly configure external LLM fallback if you require local-only processing, and review uninstall cleanup for the LaunchAgent, OpenClaw config, cron file, and ~/.friday-bp data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (32)

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The document contradicts itself on whether login attempts are rate-limited, which is security-relevant because implementers may omit brute-force protections entirely. For a local service handling sensitive financial data, ambiguous auth requirements can lead to weaker-than-intended protection against repeated password guessing by local malware or other local users.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The architecture promises that secrets never live in plaintext on disk, but later explicitly stores Plaid API credentials in plaintext in both the DB and a .env file. That mismatch is dangerous because it weakens operator assumptions about how safely credentials are stored, and plaintext secrets on disk are recoverable from backups, local compromise, or misconfigured file permissions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill states it auto-discovers and reads an Anthropic API key and gateway token from another application's config files under the user's home directory. Accessing credentials belonging to a different app violates isolation boundaries and can enable unauthorized use of paid APIs or lateral access to other agent infrastructure without clear consent.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The formatter uses abs(amount), which removes the negative sign from debits, refunds, liabilities, or losses and misrepresents the value as positive. In a personal finance skill that summarizes spending, balances, rental property activity, and exports, this can materially distort financial information shown to users or other components relying on the formatted output.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The wrapper reads OpenClaw configuration and credential files from the local filesystem and then uses discovered gateway tokens and API keys to make model calls outside the budgeting app's own declared configuration boundary. In a finance skill that may handle transaction data, this creates a cross-tool secret reuse and data-routing risk: sensitive prompts can be transmitted using credentials the user did not knowingly authorize for this skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code routes prompts through OpenClaw and can silently fall back to Anthropic/OpenAI with auto-discovered credentials, but the skill description is focused on budgeting features and does not disclose this transmission behavior. For a personal finance tool, undisclosed external model fallback materially changes the trust boundary and can expose banking and ledger data to third-party providers unexpectedly.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill exposes a password-reset capability that generates recovery tokens and returns a live reset URL, which is outside the core budgeting scope and gives the agent direct account-recovery power. In an agent setting, any prompt injection or tool misuse could trigger credential reset flows without strong user verification, enabling account takeover of the local UI.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill allows changing the UI password via a tool call, expanding the agent's authority into authentication administration rather than budgeting operations. Although it requires the old password, giving an agent a password-changing primitive increases blast radius if the agent is socially engineered, prompt-injected, or already handling the current password in conversation.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The test file hard-codes Plaid sandbox credentials directly in source, which is still credential material even if limited to a sandbox environment. In a finance-related skill that connects to banks via Plaid, embedded credentials increase the risk of unauthorized test-environment access, accidental reuse, leakage through repositories or logs, and normalization of unsafe secret-handling practices.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The test claims it skips when Plaid credentials are unavailable, but it silently injects default credentials via os.environ.setdefault, causing the Plaid-dependent flow to execute even when operators did not explicitly provide secrets. In a finance-oriented skill that connects to Plaid, this increases the chance of unintended external network access and normalizes embedded credentials in source control.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The test file hard-codes Plaid sandbox credentials and uses them to create sandbox tokens and exercise external API flows. Even though these are sandbox credentials, embedding secrets in source code normalizes unsafe secret handling, risks unintended reuse, and can allow unauthorized use of the vendor sandbox environment by anyone with repository access.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The test file hardcodes Plaid sandbox credentials directly into source via environment defaults. Even though these are sandbox values, embedding third-party API secrets in code normalizes unsafe secret handling, can unintentionally expose usable test credentials, and may cause test runs to make real external connections without explicit operator intent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
get_active_user_id allows non-HTTP MCP tools to act on behalf of the most recently active session, and if none exists, silently falls back to the first user in the database. In a multi-user personal finance application, this can cause cross-account actions without explicit authentication context, leading to unauthorized access, modification, export, or deletion of sensitive financial data.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The recovery flow writes a sensitive recovery token to a local file and optionally exposes it through chat via MCP, but the documentation does not clearly frame those as high-sensitivity actions requiring careful handling. In a finance context, insufficiently explicit warnings can lead to accidental disclosure of password-reset material to logs, chat history, screenshots, or local processes.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README explicitly tells users to paste Plaid client ID and secret into an agent chat. Sending credentials through an LLM-mediated interface can expose them to logging, prompt leakage, model-provider retention, or accidental disclosure through tool traces, especially since the skill also mentions use with external MCP/LLM clients.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README says the post-install agent flow will automatically interview the user and analyze recurring merchants from financial accounts, but it does not provide an explicit consent and privacy warning before collecting and persisting sensitive financial profile data. In a finance skill, silent or poorly signposted analysis of account data materially increases privacy and misuse risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill describes sending transaction data through an LLM classification pipeline, with a fallback to Anthropic's external service, but does not clearly warn the user that sensitive financial data may leave the local machine. Because transactions can include merchants, amounts, dates, accounts, and behavioral history, this creates a material privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script sends sensitive financial transaction data, account names, dates, amounts, Plaid categories, and the full ledger taxonomy to an external LLM via `chat(...)`. In a personal finance skill that connects to banks, this materially increases privacy and data-exposure risk, especially if users are not explicitly informed and data minimization, retention, and vendor controls are not enforced.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The batch classifier sends highly sensitive financial data to an external LLM, including merchant names, amounts, dates, account names/descriptions, Plaid categories, recent reviewed transactions, full ledger structure, and user hints. In a personal-finance skill that connects to banks and rental/investment ledgers, this creates a real privacy and data-governance risk if users have not explicitly consented, if the LLM provider retains prompts, or if data minimization is not enforced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The single-transaction classifier transmits the same class of sensitive personal financial context to an external chat function, including transaction details, account context, merchant history, corrections, and ledger metadata. Because this skill is specifically designed to ingest bank-linked personal, household, rental, and investment activity, the leaked context can reveal intimate financial behavior and account structure beyond one transaction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The legacy LLM classifier also sends transaction data, account descriptions, hints, and recent reviewed merchant history to the external model. Even though it is a legacy path, it remains callable and therefore continues to expose regulated or highly sensitive financial data to a third party without any evidence in this file of notice, consent, minimization, or segmentation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer modifies the user's OpenClaw configuration file automatically, adding an MCP server entry that causes future agent interactions to invoke local code from this skill directory. In an agent-skill context handling personal finance and bank connectivity, silently altering trusted client configuration increases the chance of covert capability expansion and long-term execution without informed user consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer writes and bootstraps a LaunchAgent with KeepAlive and RunAtLoad, creating automatic persistence at user login without a separate disclosure or consent step. For a budgeting skill that may process sensitive financial data, establishing background execution materially increases risk because the component can continue running, listening locally, and accessing synchronized data beyond a one-time interactive session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When the local endpoint is unreachable or returns an unparseable response, the wrapper automatically sends the same messages to an external SDK/provider without a warning or consent checkpoint at the moment of transmission. In a budgeting skill, those messages may contain transaction history, account context, or other financial data, making silent fail-open exfiltration to third parties especially risky.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reset flow silently writes the recovery token to disk in recovery.txt and suppresses exceptions, with no disclosure to the user that a reusable secret was persisted locally. On a multi-user or compromised host, that file becomes a durable account-recovery artifact that can be stolen for later UI takeover.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
server/health_monitor.py:74

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
server/main.py:1545