ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SimpleFIN Bank Connection

v1.0.2

Connects to bank accounts and fetches financial transactions via the SimpleFIN API. Use when the user wants to check bank balances, review recent transaction...

0· 102·1 current·1 all-time
by@eladrave

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for eladrave/simplefin.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SimpleFIN Bank Connection" (eladrave/simplefin) from ClawHub.
Skill page: https://clawhub.ai/eladrave/simplefin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install simplefin

ClawHub CLI

Package manager switcher

npx clawhub@latest install simplefin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the script and docs: the skill claims to use the SimpleFIN Bridge flow and the included Node.js script implements that flow (claim token, call /accounts, list transactions). Minor mismatch: SKILL.md references checking an environment variable (SIMPLEFIN_ACCESS_URL in openclaw.json) and a workspace file (memory/simplefin_url.txt), but the package metadata declares no required env vars — this is an undocumented expectation rather than a fatal inconsistency.
!
Instruction Scope
Runtime instructions tell the agent to prompt for a Setup Token, run the provided Node.js script to exchange it for an Access URL, and save that URL to memory/simplefin_url.txt. That means the agent will collect and persist sensitive credentials. The SKILL.md also references env/config locations that are not declared. The script executes shell curl commands via child_process.execSync with interpolated strings (claim URL and access URL-derived requests), which risks command injection if inputs are not strictly trusted/validated.
Install Mechanism
There is no install spec (instruction-only style) and a single included script file. That minimizes install-time risk, but the runtime behavior (shelling out to curl from Node via execSync) is a code-level risk and should be audited before use.
Credentials
The skill requires no external credentials in its metadata, which is proportionate. However, the workflow produces and requires storing an Access URL containing HTTP basic-auth credentials (username:password in the URL). The skill advises saving that Access URL in plaintext at memory/simplefin_url.txt — this is sensitive and not addressed in the declared requirements or guidance for secure storage.
Persistence & Privilege
always:false and no OS restrictions — the skill does not demand permanent forced presence. It instructs saving the Access URL to the workspace (memory/simplefin_url.txt), which is normal for credentials caching but should be considered sensitive. The skill does not modify other skills or global agent config per the provided files.
What to consider before installing
This skill appears to do what it claims, but take these precautions before installing: (1) Only use it if you trust bridge.simplefin.org and the Setup Token source. (2) Inspect and/or run the included script in a sandbox: it uses execSync to call curl with unescaped input (possible command injection) — prefer replacing shell calls with Node's https/http or a vetted HTTP library. (3) Don’t store the returned Access URL in an insecure plaintext file on shared systems; treat it as a secret (use secure storage or secrets manager). (4) Note SKILL.md mentions an env variable (SIMPLEFIN_ACCESS_URL) that isn't declared — if you rely on that, ensure it's set securely. (5) If you lack confidence in the script, ask the developer for a version that avoids shell execution and documents secure storage/rotation of the Access URL. If you decide to proceed, limit the skill's use to explicit, user-invoked actions and avoid granting it any broader unattended access to sensitive data.
scripts/simplefin_api.js:26
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972648qd1skgmyc1dmp7c7x8183fc3n
102downloads
0stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
@eladrave
latest
Download

SimpleFIN Bank Connection Skill

Overview

The simplefin skill allows you to connect to the user's bank accounts to retrieve account balances and transaction history using the SimpleFIN Bridge API.

Setup & Authentication (Always do this first!)

Before you can fetch any data, you need the user's SimpleFIN Access URL.

  1. Check if you have it: Look for a stored URL in the workspace at memory/simplefin_url.txt or in the environment variables (e.g., openclaw.json under SIMPLEFIN_ACCESS_URL).
  2. Prompt the user if missing: If you don't have the Access URL, you must ask the user for a Setup Token.
    • Instruction to provide to the user: "To get started, I need a SimpleFIN Setup Token. If you don't have one yet, here's how to get it:
      1. Go to SimpleFIN Bridge and sign up.
      2. Connect your bank accounts.
      3. Generate a Setup Token (a long string of characters). Please paste that Setup Token here so I can connect!"
  3. Claim the Token: Once the user provides the Setup Token, use the script to claim it and get the Access URL: 
    node scripts/simplefin_api.js claim "THE_SETUP_TOKEN_HERE"
    The script will output the true Access URL (https://username:password@...).
  4. Save it: Save the Access URL to memory/simplefin_url.txt so the user doesn't have to provide it again in the future. The Setup Token is single-use and cannot be used again.

Fetching Data

Use the provided Node.js script scripts/simplefin_api.js to interact with the API. It requires the access_url as the first argument.

1. List Accounts & Balances

To view all connected bank accounts and their current balances:

node scripts/simplefin_api.js "https://username:password@beta-bridge.simplefin.org/simplefin" accounts

This will output a JSON array of accounts, including their IDs, names, currencies, and balances.

2. List Transactions

To retrieve the transaction history across accounts:

node scripts/simplefin_api.js "https://username:password@beta-bridge.simplefin.org/simplefin" transactions [options]

Options:

  • --start-date YYYY-MM-DD: Filter transactions on or after this date.
  • --end-date YYYY-MM-DD: Filter transactions on or before this date.
  • --account "Account Name or ID": Filter transactions for a specific account.

Example: Fetching transactions for March 2026

node scripts/simplefin_api.js "https://username:password@beta-bridge.simplefin.org/simplefin" transactions --start-date 2026-03-01 --end-date 2026-03-31

Processing Output

  • Always format financial data clearly for the user (e.g., Markdown tables or bulleted lists).
  • If the API returns an authentication error, remind the user that their SimpleFIN token might have expired or been revoked, and ask them to generate a new Setup Token.

References

If you need to make changes to the SimpleFIN integration, look up error schemas, or review API limits, consult the developer guide:

Comments

Loading comments...