Actual Budget
v1.0.2Query and manage personal finances via the official Actual Budget Node.js API. Use for budget queries, transaction imports/exports, account management, categorization, rules, schedules, and bank sync with self-hosted Actual Budget instances.
⭐ 2· 3.6k·11 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description and SKILL.md clearly require access to an Actual Budget server (ACTUAL_SERVER_URL, ACTUAL_PASSWORD, ACTUAL_SYNC_ID, etc.) which is coherent with the stated purpose. HOWEVER the registry metadata claims no required environment variables or credentials. The absence of a declared primary credential and no homepage/source for verification is inconsistent with a skill that needs sensitive server credentials.
Instruction Scope
The SKILL.md stays within the stated purpose: it documents how to install and call @actual-app/api, which operations to run (sync, import, bank sync, queries), and which env vars and paths are used. It does not instruct indiscriminate file reads or exfiltration. Minor concerns: the default data dir can be the current working directory (cwd) which could expose more local files than intended; and it instructs use of NODE_EXTRA_CA_CERTS (a path to a cert file) which means the agent/process will read that file.
Install Mechanism
This is an instruction-only skill (no install spec), which is low-risk for skill bundle installation. However, SKILL.md tells users/agents to run `npm install @actual-app/api` — that will fetch code from npm (remote dependency). Because the skill's source/homepage are unknown, you cannot verify the upstream npm package or its integrity from the skill metadata alone. Users should validate the npm package origin before installing.
Credentials
The environment variables documented in SKILL.md (ACTUAL_SERVER_URL, ACTUAL_PASSWORD, ACTUAL_SYNC_ID, optional ACTUAL_ENCRYPTION_PASSWORD, NODE_EXTRA_CA_CERTS) are appropriate for connecting to a self-hosted Actual Budget server, but they are sensitive (server password, sync id). The skill metadata did not declare any required env vars or a primary credential — a mismatch that could lead to accidental exposure of secrets if the platform provides environment access in ways the user doesn't expect.
Persistence & Privilege
The skill does not request persistent installation or elevated platform privileges (always:false). It is instruction-only and has no code files, so it will not by itself write binaries to the agent environment. The agent-autonomy defaults are unchanged; combine that with other concerns if the platform gives this skill runtime access to environment variables.
What to consider before installing
Before installing or enabling this skill: 1) Note the metadata/manifest mismatch — SKILL.md requires sensitive env vars (server URL, password, sync id) but the registry metadata lists none. Ask the author to provide a source repository or homepage and to update the manifest to declare required credentials. 2) Verify the npm package @actual-app/api on npmjs.org or the official Actual Budget GitHub repo; inspect the package code or its provenance before running npm install. 3) Limit risk: run the package in an isolated environment or container, and prefer a dedicated, least-privilege service account or short-lived credential rather than your main password. 4) Be aware that ACTUAL_PASSWORD and ACTUAL_SYNC_ID are sensitive; ensure the platform only exposes environment variables explicitly declared and necessary. 5) If you cannot verify the author or upstream package, do not supply production credentials — ask for a vetted implementation or provide a read-only/test account. 6) If you proceed, consider setting ACTUAL_DATA_DIR explicitly to a safe location (not cwd) and carefully manage NODE_EXTRA_CA_CERTS to avoid trusting unexpected certificates.Like a lobster shell, security has layers — review code before you run it.
latestvk9712v5r0950h4hc63w9p1dktx80sqd0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.