Treeline Money
PassAudited by ClawScan on May 1, 2026.
Overview
Treeline Money is coherent for local finance Q&A, but it relies on an external CLI and can access sensitive financial data when real data is enabled.
This skill appears purpose-aligned and disclosed. Before installing, make sure you trust the Treeline CLI source, start in demo mode if possible, keep your encrypted database locked when not in use, and approve write commands only after checking their effect.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or rely on the Treeline CLI, so trust in the Treeline release source matters before using it with financial data.
The skill is instruction-only but depends on a downloaded native CLI from a mutable latest-release URL. This is disclosed and central to the skill, but users should recognize the external binary is the operative code.
"install":[{"id":"tl-mac","kind":"download","url":"https://github.com/treeline-money/treeline/releases/latest/download/tl-macos-arm64"Install only from the official Treeline source, review the release if needed, and keep the CLI updated intentionally.
Read queries can inspect financial records, and confirmed write commands can change local finance data.
The skill exposes broad SQL/query capability and also documents mutating commands such as sync, import, restore, and tagging. The artifacts clearly mark read commands as read-only and require user confirmation for writes.
"tl query \"SQL\" --json # Run any SQL query (database opened in read-only mode)" and "Write commands (ask the user first)"
Use dry-run options where available, confirm any write operation carefully, and avoid approving broad SQL writes unless you understand the change.
If the database is unlocked, the agent can read financial data through the CLI; if it is locked, the user must unlock it outside the conversation.
The skill can access an already-unlocked encrypted finance database through the local CLI/keychain state, while explicitly instructing the agent not to handle unlock credentials.
"Encrypted databases work automatically when unlocked — the encryption key is stored in the OS keychain" and "Do not attempt to unlock the database or handle credentials."
Keep the database locked when not using it, unlock it only when you intend to query real financial data, and do not share unlock credentials in chat.
Balances, budgets, transaction summaries, and spending details may appear in chat responses.
The skill is designed to bring sensitive financial results into the chat context. This is the intended function, but users should treat the conversation output as sensitive.
"Ask questions like \"What's my net worth?\", \"How much did I spend on groceries?\" ... and get instant answers from your own financial data."
Use demo mode first, ask for only the financial details you need, and avoid sharing chat transcripts that contain real financial information.