ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Monarch Money

v1.0.0

Access Monarch Money financial data: accounts, transactions, budgets, and cashflow. Use when the user asks about their finances, spending, account balances,...

0· 39·0 current·0 all-time
by@silentknight87
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: scripts call the monarchmoney client to list accounts, transactions, budgets, cashflow, and trigger refreshes. Required binary (python3) and the pip package are appropriate for the stated purpose.
Instruction Scope
SKILL.md instructions are scoped to installing the monarchmoney library, running an interactive login to collect email/password/MFA, and using CLI scripts that read/write the session file under ~/.monarchmoney. There are no instructions to read unrelated files, environment variables, or send data to unexpected endpoints.
Install Mechanism
The install path is pip install of the 'monarchmoney' Python package (documented in SKILL.md). No arbitrary downloads, URL shorteners, or archive extraction are used in the skill bundle itself.
Credentials
The skill requests no environment variables or external credentials in its manifest. It asks the user interactively for email/password/MFA as expected for login and persists a session file locally. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true or system-wide changes. It saves a session to ~/.monarchmoney/mm_session.pickle (normal for this use). The skill is invocable/autonomous by default (disable-model-invocation is false) — this is the platform default but worth noting because the skill can be called by the agent.
Assessment
This wrapper appears to do what it claims: it installs the monarchmoney Python library, prompts you for your Monarch email/password and MFA once, then saves a session token at ~/.monarchmoney/mm_session.pickle for future use. Before installing, verify the 'monarchmoney' pip package source (use a virtualenv), review its repository if possible, and ensure you trust the environment where you'll store the session file. Treat the session file as sensitive (restrict filesystem permissions). Remember the agent can invoke the skill by default — if you don't want autonomous access to your finances, disable model invocation or avoid installing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d15pa6jgxermjf419253fsd83x86p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binspython3

Comments