← Back to Skills Marketplace
107
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install simplefin
Description
Connects to bank accounts and fetches financial transactions via the SimpleFIN API. Use when the user wants to check bank balances, review recent transaction...
Usage Guidance
This skill appears to do what it claims, but take these precautions before installing: (1) Only use it if you trust bridge.simplefin.org and the Setup Token source. (2) Inspect and/or run the included script in a sandbox: it uses execSync to call curl with unescaped input (possible command injection) — prefer replacing shell calls with Node's https/http or a vetted HTTP library. (3) Don’t store the returned Access URL in an insecure plaintext file on shared systems; treat it as a secret (use secure storage or secrets manager). (4) Note SKILL.md mentions an env variable (SIMPLEFIN_ACCESS_URL) that isn't declared — if you rely on that, ensure it's set securely. (5) If you lack confidence in the script, ask the developer for a version that avoids shell execution and documents secure storage/rotation of the Access URL. If you decide to proceed, limit the skill's use to explicit, user-invoked actions and avoid granting it any broader unattended access to sensitive data.
Capability Analysis
Type: OpenClaw Skill
Name: simplefin
Version: 1.0.2
The skill contains a critical shell injection vulnerability in `scripts/simplefin_api.js` where user-provided input (the Setup Token) is base64-decoded and passed directly into a shell command via `execSync` without sanitization. Additionally, the skill instructions in `SKILL.md` direct the agent to store sensitive financial API credentials, including a plaintext username and password, in a local file (`memory/simplefin_url.txt`). While these actions support the stated purpose of connecting to the SimpleFIN API, the lack of input validation and insecure credential storage represent significant security risks.
Capability Assessment
Purpose & Capability
The name/description align with the script and docs: the skill claims to use the SimpleFIN Bridge flow and the included Node.js script implements that flow (claim token, call /accounts, list transactions). Minor mismatch: SKILL.md references checking an environment variable (SIMPLEFIN_ACCESS_URL in openclaw.json) and a workspace file (memory/simplefin_url.txt), but the package metadata declares no required env vars — this is an undocumented expectation rather than a fatal inconsistency.
Instruction Scope
Runtime instructions tell the agent to prompt for a Setup Token, run the provided Node.js script to exchange it for an Access URL, and save that URL to memory/simplefin_url.txt. That means the agent will collect and persist sensitive credentials. The SKILL.md also references env/config locations that are not declared. The script executes shell curl commands via child_process.execSync with interpolated strings (claim URL and access URL-derived requests), which risks command injection if inputs are not strictly trusted/validated.
Install Mechanism
There is no install spec (instruction-only style) and a single included script file. That minimizes install-time risk, but the runtime behavior (shelling out to curl from Node via execSync) is a code-level risk and should be audited before use.
Credentials
The skill requires no external credentials in its metadata, which is proportionate. However, the workflow produces and requires storing an Access URL containing HTTP basic-auth credentials (username:password in the URL). The skill advises saving that Access URL in plaintext at memory/simplefin_url.txt — this is sensitive and not addressed in the declared requirements or guidance for secure storage.
Persistence & Privilege
always:false and no OS restrictions — the skill does not demand permanent forced presence. It instructs saving the Access URL to the workspace (memory/simplefin_url.txt), which is normal for credentials caching but should be considered sensitive. The skill does not modify other skills or global agent config per the provided files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install simplefin - After installation, invoke the skill by name or use
/simplefin - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Added developer API reference guide
v1.0.1
Fix auth flow to use Setup Token instead of Access URL
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is SimpleFIN Bank Connection?
Connects to bank accounts and fetches financial transactions via the SimpleFIN API. Use when the user wants to check bank balances, review recent transaction... It is an AI Agent Skill for Claude Code / OpenClaw, with 107 downloads so far.
How do I install SimpleFIN Bank Connection?
Run "/install simplefin" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SimpleFIN Bank Connection free?
Yes, SimpleFIN Bank Connection is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does SimpleFIN Bank Connection support?
SimpleFIN Bank Connection is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SimpleFIN Bank Connection?
It is built and maintained by eladrave (@eladrave); the current version is v1.0.2.
More Skills