Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Just Fucking Cancel
v1.2.0Find and cancel unwanted subscriptions by analyzing bank transactions. Detects recurring charges, calculates annual waste, and provides cancel URLs. CSV-based analysis with optional Plaid integration for ClawdBot users.
⭐ 2· 2.5k·4 current·5 all-time
byAlec Gutman@chipagosfinest
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Skill claims to analyze transactions and produce cancel URLs. All declared runtime inputs (CSV upload or optional Plaid credentials) are appropriate and proportional to that purpose. The included references/common-services.md provides cancel URLs which is expected for this use case.
Instruction Scope
SKILL.md instructs local CSV processing by default and describes Plaid as an optional remote data source; it does not instruct the agent to read unrelated system files or exfiltrate data. It explicitly states 'No automated cancellation' and that users navigate to cancel URLs manually, which fits the described workflow.
Install Mechanism
This is an instruction-only skill with no install spec and no code executed at install time. The included HTML template and reference markdown are static assets — no downloads or archive extracts are requested.
Credentials
No required environment variables are listed in the registry metadata. SKILL.md documents three optional Plaid env vars (PLAID_CLIENT_ID, PLAID_SECRET, PLAID_ACCESS_TOKEN) which are appropriate for the optional Plaid integration. Because these are highly sensitive, only supply them if you trust the hosting/agent environment and you understand that Plaid will be contacted.
Persistence & Privilege
The skill is not marked always:true, does not request persistent system modifications, and contains no instructions to change other skills' configs or system-wide settings.
Assessment
This skill appears to do what it says: analyze transaction CSVs locally and optionally pull transactions via Plaid. Recommended actions before installing or using:
- Prefer the CSV workflow (local only) if you want to avoid sending financial data to third parties.
- If you enable Plaid, only provide PLAID_CLIENT_ID / PLAID_SECRET / PLAID_ACCESS_TOKEN when you trust the agent host and understand Plaid will be contacted; these tokens are sensitive and grant access to account transactions.
- Note a small documentation mismatch: PUBLISH.md mentions 'Browser automation for cancellations' while SKILL.md emphasizes no automated cancellation — confirm behavior before trusting any automatic cancellation actions.
- Review the cancel URLs in references/common-services.md yourself; check for correctness and avoid clicking links you don't recognize.
- The HTML template contains client-side JS (clipboard operations, privacy toggles). Running the report in a browser will execute that script locally; it does not appear to contact remote endpoints, but avoid pasting secrets into the report.
- If you need higher assurance, ask the publisher for runtime code or a canonical upstream repo (the SKILL.md attributes an upstream GitHub project).Like a lobster shell, security has layers — review code before you run it.
amexvk9703vcbxfzg2f811m743whe9n8079hmapple-cardvk9703vcbxfzg2f811m743whe9n8079hmautomationvk9703vcbxfzg2f811m743whe9n8079hmbank-of-americavk9703vcbxfzg2f811m743whe9n8079hmbank-transactionsvk9703vcbxfzg2f811m743whe9n8079hmbrowser-automationvk9703vcbxfzg2f811m743whe9n8079hmbudgetingvk9782xkc83a0qkfx17cy6y9vb180ys7xcancelvk9782xkc83a0qkfx17cy6y9vb180ys7xcapital-onevk9703vcbxfzg2f811m743whe9n8079hmchasevk9703vcbxfzg2f811m743whe9n8079hmcitivk9703vcbxfzg2f811m743whe9n8079hmconsumer-rightsvk9703vcbxfzg2f811m743whe9n8079hmcopilotvk9703vcbxfzg2f811m743whe9n8079hmcredit-cardvk9703vcbxfzg2f811m743whe9n8079hmdark-patternsvk9703vcbxfzg2f811m743whe9n8079hmexpense-trackingvk9703vcbxfzg2f811m743whe9n8079hmfinancevk9782xkc83a0qkfx17cy6y9vb180ys7xfintechvk9703vcbxfzg2f811m743whe9n8079hmlatestvk9782xkc83a0qkfx17cy6y9vb180ys7xmintvk9703vcbxfzg2f811m743whe9n8079hmmoneyvk9703vcbxfzg2f811m743whe9n8079hmmoney-savingvk9782xkc83a0qkfx17cy6y9vb180ys7xpersonal-financevk9782xkc83a0qkfx17cy6y9vb180ys7xplaidvk9782xkc83a0qkfx17cy6y9vb180ys7xrecurring-chargesvk9782xkc83a0qkfx17cy6y9vb180ys7xsave-moneyvk9703vcbxfzg2f811m743whe9n8079hmsavingsvk9703vcbxfzg2f811m743whe9n8079hmsubscription-auditvk9703vcbxfzg2f811m743whe9n8079hmsubscription-managementvk9703vcbxfzg2f811m743whe9n8079hmsubscriptionsvk9782xkc83a0qkfx17cy6y9vb180ys7x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.