openfinance
v0.0.3Connect bank accounts to AI models using openfinance.sh
⭐ 1· 143·1 current·1 all-time
byWinston Wu@winxton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (connect bank accounts via openfinance.sh) matches the runtime instructions and required environment variables. The only credential the skill needs is OPENFINANCE_API_KEY and an optional OPENFINANCE_URL; no unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md contains concrete curl examples for /api/accounts, /api/transactions, and a POST /api/transactions/query (read-only SQL) and does not instruct reading local files, other environment variables, or exfiltrating data to third-party endpoints. The SQL endpoint is documented as read-only with a timeout and row limit; note that queries can still return sensitive financial data, which is expected given the skill's purpose.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk delivery model (nothing is written to disk by the skill itself).
Credentials
The SKILL.md declares a single required secret (OPENFINANCE_API_KEY) and an optional OPENFINANCE_URL, which is proportionate. The registry summary earlier showing 'Required env vars: [object Object], [object Object]' appears to be a metadata/UI serialization bug — verify the actual required env vars before installing.
Persistence & Privilege
The skill is not force-included (always: false), does not request persistent system changes, and relies on an externally provided API key. Agent autonomous invocation is allowed by default (disable-model-invocation: false) — this is normal but worth noting.
Assessment
This skill is coherent: it simply instructs the agent to call the OpenFinance API using an OPENFINANCE_API_KEY. Before enabling it, confirm you trust openfinance.sh and that the API key you provide is scoped appropriately (read-only if possible), rotate or revoke the key if needed, and avoid pasting the key into public places. Note the registry metadata shows a malformed env listing ([object Object]) — double-check which environment variables the platform will actually pass to the skill. Remember that even read-only access returns sensitive financial data, so only enable the skill for agents or contexts you trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97akpq521nckkpby8tgk1q651830w1f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Env[object Object], [object Object]