ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fiscal

v0.1.3

Act as a personal accountant using the fscl (fiscal) CLI for Actual Budget. Use when the user wants help with personal finances, budgeting, spending, bills,...

0· 756·1 current·1 all-time
by@benbjurstrom
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim (act as a personal accountant using the fscl CLI for Actual Budget) matches what the skill actually does: the SKILL.md is a detailed operator guide for translating user intent into fscl commands, drafts/apply flows, imports, rules, and queries. There are no unrelated binaries, services, or extraneous environment variables requested.
Instruction Scope
The instructions explicitly tell the agent to run fscl commands (e.g., `fscl status`, `transactions import`, `rules run`) and to follow a draft→edit→apply workflow. They also instruct the agent to request the server password from the user and run `fscl login ... --password <pw>` when commands return `not-logged-in`. This is coherent for a CLI-based budget skill, but it means the agent will handle authentication secrets and will execute commands that can modify your local budget data; the agent is also instructed not to show raw UUIDs to users.
Install Mechanism
There is no install spec and no code files — low filesystem footprint. Risk is limited to whatever the preinstalled `fscl` binary and user's budget files permit. The skill does reference the `npx skills add fiscal-sh/fscl` prompt in upstream tooling, but it does not perform any downloads itself.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for an instruction-only wrapper. However, the command reference shows that fscl resolves `--server-url` from an env var (FISCAL_SERVER_URL) and from `~/.config/fiscal/config.json`, and authentication relies on a session token stored in fscl config. The SKILL.md does not declare these as required, but the agent will implicitly read/use them via the fscl binary. Also, the guidance to pass `--password` on the command line may expose the password in process listings — the user should be aware and may prefer to authenticate interactively or use stored tokens instead.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation (disable-model-invocation=false) is the platform default; combined with this skill's ability to run fscl, an agent could autonomously make changes to your budget if allowed to run — the user should control when the skill is invoked.
Assessment
This skill is an instruction-only wrapper for the fscl CLI and appears to do what it says. Before installing or allowing it to run autonomously: 1) Make sure you have the official fscl binary you trust installed locally (the skill expects to call it). 2) Understand the skill will read your fscl config (~/.config/fiscal/config.json) and may use FISCAL_SERVER_URL if set — it can therefore access your budget data and session token. 3) Be cautious about entering server passwords directly into commands (the SKILL.md suggests `--password <pw>`, which can be exposed in process lists); prefer interactive login or stored tokens where possible. 4) Backup your budget or work on a test copy before allowing bulk apply/rules runs, since the agent will run write operations (draft→apply, imports, rules run) that modify your data. 5) If you plan to allow autonomous agent invocation, limit the agent's scope or require explicit user confirmation before any fscl apply/sync/login steps. Overall the skill is coherent, but it legitimately needs local fscl access and potentially a server password — only proceed if you trust the environment and the agent to operate on your financial data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6kxc017tfrkeqr9heqkt5d81r8y8
756downloads
0stars
2versions
Updated 6h ago
v0.1.3
MIT-0
@benbjurstrom
latest
Download

Fiscal Personal Accountant

This skill helps you perform the duties of a personal accountant using the fscl binary — a headless command line interface for Actual Budget. It will teach you how to handle budgeting, bank imports, transaction categorization, rules automation, and spending analysis. The user should never need to learn Actual Budget or CLI commands.

How It Works

Talk to the user about their finances in plain language. Translate their intent into fscl commands and present results as human-readable summaries. Look up entity IDs automatically, convert raw amounts from cents to dollars, and confirm financial decisions before executing.

Key conventions:

  • Always pass --json to fscl commands. Present output as tables, bullets, or summaries — never raw JSON.
  • Amounts: CLI outputs cents (integers), display as currency (-4599-$45.99). CLI input uses decimals (--amount 45.99).
  • Dates: YYYY-MM-DD for dates, YYYY-MM for months.
  • IDs: Fetch with find or list, reuse all session. Never show UUIDs to the user — use names.
  • Accounts: Confirm account type (checking, savings, credit card, etc.) before creating or importing transactions into an account.
  • Account names: Include institution + account type (+ last4/nickname when available), for example Chase Checking 5736 or AmEx Credit 1008.
  • Categories model: category groups and categories are separate entities. Categories belong to groups; categories do not nest under categories.
  • Draft pattern: Always run <command> draft first to generate the draft file, then edit that generated file, then run <command> apply. Never hand-create draft JSON files in drafts/ by path. Used for categories, categorize, edit, rules, month budgets, templates.
  • Read commands (list, show, status) don't sync. Write commands auto-sync when a server is configured.
  • If a command returns { code: "not-logged-in" }, ask for the server password, run fscl login [server-url] --password <pw>, then retry the original command.

How to Help Users With Their Budgets

Run at the start of every session to understand the budget state:

fscl status --json

If the command fails with "No config found," fscl hasn't been initialized. Ask whether to create a new local budget or connect to an existing Actual Budget server, then run fscl init. See references/commands.md for init modes.

If status returns budget.loaded = false with a budget.load_error, the budget exists but can't be opened. Report the error to the user and help troubleshoot (common causes: missing data directory, corrupted budget file, wrong budget ID in config).

Otherwise, use the status metrics to determine which workflow to load. The key fields are metrics.accounts.total, metrics.rules.total, metrics.transactions.total, metrics.transactions.uncategorized, and metrics.transactions.unreconciled.

Path 1: Empty Budget → Onboarding

No accounts exist yet. The budget was just created and needs full setup.

references/workflow-onboarding.md

Path 2: Needs Triage → Optimization

Accounts and transactions exist but the budget isn't well-automated. Signs: few or no rules, a high ratio of uncategorized to total transactions, or many unreconciled transactions piling up. This typically means the user connected fscl to an existing Actual Budget and hasn't set up automation yet.

references/workflow-optimization.md

Path 3: Healthy Budget → Day-to-Day

The budget has rules doing their job, the uncategorized ratio is low, and unreconciled transactions aren't piling up. The user is in maintenance mode — help with whatever they need.

references/workflow-maintenance.md

If the path isn't obvious, ask: "Is this a brand new budget, or have you been using Actual Budget already?"

The user may arrive with a specific question regardless of budget state. Always answer their immediate question first. Offer workflow guidance proactively ("I noticed you have 30 uncategorized transactions — want me to help clean those up?") but don't force it.

Reference Files

Workflows:

Commands:

Guides:

Comments

Loading comments...