Firm Fintech Pack
v1.0.0Curated skill bundle for fintech startups, neobanks, payment processors and wealth-management platforms. Activates the firm pyramid with Finance, Legal, Engi...
⭐ 0· 367·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README-like SKILL.md describes a fintech 'firm' bundle and mostly contains prompts, recommended companion installs, and a workspace overlay — that matches the advertised purpose. However, it urges production/security settings and workspace paths (~/.openclaw/workspace/fintech-firm) without declaring any required config or credentials, which is an inconsistency between stated purpose and declared requirements.
Instruction Scope
The instructions include operational directives beyond simple prompts: they insist on environment flags (SECURE_PRODUCTION_MODE, AUDIT_ENABLED, READ_ONLY_MODE), audit/immutable JSONL trails, and a specific workspace path. These variables and paths are not listed in requires.env or required config paths. The SKILL also instructs using 'firm-orchestration' and recommends running npx clawhub installs for other skills — which will change the agent environment. This expands runtime scope beyond what's explicitly declared.
Install Mechanism
There is no install spec and no code files (lowest install risk). The SKILL.md recommends using npx clawhub@latest to install companion skills; those commands would install third-party packages at the time you run them. Because installation is left to the user and not performed automatically, risk is limited but you should inspect/verify any packages before running npx.
Credentials
The skill declares no required environment variables or credentials, yet the instructions mandate security-related env flags and an immutable audit trail. For a bundle that claims to enable integrations (PSD2, PCI-DSS, etc.), it also doesn't request any integration credentials — which is plausible if this is just a prompt bundle, but the presence of mandatory security flags that are not declared is disproportionate and confusing. This mismatch could lead to accidental misconfiguration or unmet security expectations.
Persistence & Privilege
always is false and there is no install — good. The SKILL metadata lists tools sessions_send, sessions_spawn, sessions_history which enable spawning sessions and sending/history access; those are powerful capabilities for an orchestration-style skill because they can create or transmit session content. This is not automatically malicious, but combined with the other inconsistencies it increases the potential blast radius and should be reviewed before enabling autonomous invocations.
What to consider before installing
This skill is an instruction-only 'firm pack' that mostly provides prompts and recommended companion installs. Before installing or enabling it: 1) Verify the source/author — there is no homepage and the owner ID is unfamiliar. 2) Inspect any companion packages before running the suggested npx clawhub install commands. 3) Confirm what 'firm-orchestration' and the suggested companion skills do (they may require sensitive credentials). 4) Don’t assume the listed env flags (SECURE_PRODUCTION_MODE, AUDIT_ENABLED, READ_ONLY_MODE) are enforced — the skill declares them but does not require them; enforce these at your environment/config level if needed. 5) Be cautious because the skill metadata requests session tools (sessions_spawn/send/history) that allow spawning and transmitting sessions — avoid enabling autonomous invocation on production agents until you audit the orchestration skill's behavior. If you can, ask the publisher for: an explicit list of required env vars/config paths, the exact behavior of firm-orchestration, and a code/homepage link so you can review the companion skills before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ee7hqpv0maqdj6cb7zbjmjx821g62
License
MIT-0
Free to use, modify, and redistribute. No attribution required.