Finance Automation
Automates payments, invoices, expenses, and financial reports with Stripe webhooks and real-time Telegram notifications for streamlined finance management.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 479 · 6 current installs · 6 all-time installs
byChloe Park@ChloePark85
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The codebase (webhooks, invoice/payment/expense handling, Telegram notifications) is coherent with the advertised purpose (finance automation). However the registry metadata claims no required environment variables or credentials while the code and docs expect many (STRIPE_*, TELEGRAM_*, SMTP_*, JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL, etc.). That metadata omission is a meaningful incoherence.
Instruction Scope
SKILL.md and QUICKSTART instruct the user to copy/edit .env and run npm install / npm run dev, plus use Stripe CLI/ngrok to forward webhooks. The runtime instructions therefore require entering and handling multiple secrets and starting a networked server. The instructions do not ask for unrelated host data, but they do direct the user to deploy a network service that will receive webhooks and transmit notifications externally — this is expected for the skill but the instructions assume providing sensitive credentials without the package metadata declaring them.
Install Mechanism
There is no remote download of arbitrary code: installation is via npm (package.json present) and local scripts (db init). No URL-based extracts or obscure installers were found. This is a normal Node.js project install pattern.
Credentials
The code expects many sensitive environment variables (Stripe keys and webhook secret, Lemon Squeezy keys, TELEGRAM_BOT_TOKEN and CHAT_ID, SMTP credentials, JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL). Those are proportionate to a finance/webhook/notification service, but the registry metadata lists none and the skill does not declare a primary credential. Additionally config.js provides an insecure default JWT secret ('change-this-secret') if JWT_SECRET is not set — a dangerous default for a service protecting financial endpoints.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It creates local storage/log directories and binds to a network port (default 3000) when run; that is expected for a webhook/API service but means the user should run it in a controlled environment. Autonomous model invocation is allowed by default (not a standalone concern here).
What to consider before installing
This repository implements the finance automation functionality it advertises, but the registry metadata is incomplete: it declares no required environment variables even though the code and docs require many secrets (Stripe, Lemon Squeezy, Telegram, SMTP, JWT secret, OpenClaw token, DB URL). Before installing or running:
- Treat this as running a networked service that will handle real payments and sensitive data. Run it in an isolated/staging environment, not directly on production systems.
- Do NOT paste or reuse production API keys until you have audited the notification and webhook code (src/services/notification.js and src/webhooks/*). Verify where notifications and outgoing requests are sent.
- Provide explicit environment variables (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SMTP_* , JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL) only after you confirm you trust the code and repository source. The registry metadata should have listed these — its omission is a red flag.
- Replace the default JWT secret (change-this-secret) with a strong secret before exposing the API. Confirm proper rate limits, CORS, and HTTPS are configured for production.
- Review logging/storage behavior (logs/, storage/pdfs, storage/receipts) to ensure no sensitive keys or full payment data are being written to insecure locations or committed to source control; add .env to .gitignore.
- Optionally run the service in a container or with a restricted user, monitor outbound network requests, and perform a quick code review of notification/webhook modules for any unexpected external endpoints.
If you need a safer quick test, use Stripe test keys and a throwaway Telegram bot/token and run locally behind a tunneling tool (ngrok) in a sandbox environment.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.2.1
Download zipfinanceinvoicelatestpayment
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Finance Automation
Automate payments, invoices, expenses, and financial reports.
Features
- Payments: Real-time payment recording via Stripe/Lemon Squeezy webhooks
- Invoices: CRUD with auto-numbering, tax calculation, send/paid status management
- Expenses: Submit, approve, reject expenses with category analytics
- Reports: Daily/monthly revenue, MRR, profit reports
- Notifications: Real-time Telegram alerts
Quick Start
cd finance-automation
cp .env.example .env
# Edit .env with your API keys
npm install
npm run db:init
npm run dev
API Endpoints
POST /api/invoices Create invoice
GET /api/invoices List invoices
POST /api/invoices/:id/send Send invoice
POST /api/invoices/:id/mark-paid Mark as paid
POST /api/expenses Add expense
POST /api/expenses/:id/approve Approve expense
POST /api/expenses/:id/reject Reject expense
GET /api/reports/daily Daily revenue + expenses
GET /api/reports/monthly Monthly report
GET /api/reports/summary Period summary
GET /api/reports/mrr Monthly Recurring Revenue
GET /api/reports/profit Profit report
Requirements
- Node.js >= 18
- SQLite3 (default) or PostgreSQL
- Stripe account (for payment webhooks)
Tags
finance, payment, invoice, expense, report, stripe, automation
Files
24 totalSelect a file
Select a file to preview.
Comments
Loading comments…