v0.5.5

Billclaw

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:27 AM.

Analysis

BillClaw’s purpose is coherent, but it handles bank and Gmail credentials through unpinned external npm packages, so it should be reviewed carefully before use.

GuidanceBefore installing, review the npm package source and provenance, pin exact versions if possible, confirm Plaid/Gmail scopes, and only provide credentials after you are comfortable with how local financial data and OAuth tokens will be stored.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

install spec

package: @firela/billclaw-openclaw ... package: @firela/billclaw-cli ... package: @firela/billclaw-connect

The install specification references external npm packages without exact versions. Those packages provide the actual financial/Gmail integration behavior.

User impactA future or substituted package version could affect how credentials and financial/email data are handled.

RecommendationInstall a specific reviewed version, verify npm provenance and source repository contents, and avoid entering credentials until the installed package version is trusted.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SECURITY.md

All npm packages are: ... Version-pinned for reproducibility

This assurance conflicts with the unversioned package names in the install specification, which could lead users to place more trust in the install path than the artifacts support.

User impactUsers may assume stronger supply-chain protection than is actually shown by the install metadata.

RecommendationTreat the security statements as claims to verify, and require exact package versions or reproducible provenance before using the skill with real financial or Gmail credentials.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

`PLAID_SECRET` | Plaid API secret | Plaid bank sync ... `GMAIL_CLIENT_SECRET` | Gmail OAuth client secret | Gmail bill fetching

The skill documents credentials that can enable access to bank transaction data and Gmail bill data. This is purpose-aligned, but it is high-impact authority and is not reflected in the registry credential or capability declarations.

User impactConfiguring the skill can grant access to sensitive financial and email-derived data.

RecommendationUse only the integrations you need, verify the exact OAuth/API scopes before connecting accounts, prefer least-privilege or sandbox credentials where possible, and revoke tokens when no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SECURITY.md

Financial data stored locally in `~/.firela/billclaw/` ... OAuth tokens stored in your system keychain

The skill persists sensitive financial data locally and stores OAuth tokens in the system keychain. This is disclosed and purpose-aligned, but it creates a sensitive local data footprint.

User impactAnyone with access to the device, backups, or keychain may be able to access sensitive financial data or tokens.

RecommendationUse device encryption, protect backups, review the local BillClaw directory, and remove stored data/tokens if uninstalling or changing trust decisions.