sure-finance-skill
v0.0.7Sure Finance API skill. Use when the user wants personal finance insights, account and transaction operations, tags/categories management, imports, or chat w...
⭐ 0· 95·0 current·0 all-time
byLucas Moyano@secondport
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (personal finance actions: accounts, transactions, tags, imports, chats) match the runtime instructions: curl calls to $SURE_BASE_URL authenticated with X-Api-Key. Required env vars SURE_API_KEY and SURE_BASE_URL are appropriate for the stated purpose. Minor inconsistency: the registry metadata summary at the top lists no required binaries, while SKILL.md metadata and compatibility docs state curl is required for core operations.
Instruction Scope
SKILL.md limits operations to curl requests against the provided base URL and explicitly forbids reading unrelated local files or printing API keys. Optional flows (self-hosting, external-assistant validation) are documented and correctly marked as opt-in. These optional flows expand scope (downloading compose files, asking for extra environment variables) and should only run when the user explicitly requests them — the skill explicitly says this, which is good, but users should verify the agent honors that.
Install Mechanism
No install specification or code is present (instruction-only skill), so nothing is written or executed by default. Self-hosting docs instruct downloading compose files from raw.githubusercontent.com (GitHub raw content) — a well-known host — and explicitly advise reviewing files before running; this is expected for an optional self-hosting workflow.
Credentials
Core required env vars are limited to SURE_API_KEY and SURE_BASE_URL, which is proportionate. There are several documented optional, sensitive variables (MCP_API_TOKEN, EXTERNAL_ASSISTANT_TOKEN, SECRET_KEY_BASE, POSTGRES_PASSWORD) used only for self-hosting or external-assistant validation. These optional secrets are not listed in the skill's required-env metadata (the SKILL.md says this is intentional). That design is acceptable but increases the risk of accidental disclosure if the agent or user mistakenly runs opt-in flows; confirm the agent will not prompt for these unless you explicitly opt in.
Persistence & Privilege
The skill does not request permanent presence (always is false), does not declare writing/modifying other skills' configs, and requires no system config paths. Autonomous invocation is allowed (platform default) but not combined with other red flags here.
Assessment
This skill appears to be what it claims: a thin wrapper of curl-based calls to a Sure API using SURE_API_KEY and SURE_BASE_URL. Before installing or using it: (1) Only provide SURE_API_KEY and SURE_BASE_URL for normal use; do not share optional secrets (MCP_API_TOKEN, EXTERNAL_ASSISTANT_TOKEN, SECRET_KEY_BASE, POSTGRES_PASSWORD) unless you explicitly opt into self-hosting or external-assistant validation. (2) Verify the agent actually asks for opt-in before running those optional flows. (3) If you self-host, carefully review any compose files you download from raw.githubusercontent.com before running docker compose up and use strong, rotated credentials for database and secret keys. (4) Note the small metadata mismatch about requiring curl — ensure curl is available in your environment. If you want stronger assurance, ask the skill author to (a) make required binaries consistent in registry metadata and SKILL.md, and (b) list optional env vars explicitly as "optional" in metadata so automated checks can surface them.Like a lobster shell, security has layers — review code before you run it.
latestvk97f2hn8st739n8d843asgk33983nx9n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
EnvSURE_API_KEY, SURE_BASE_URL