← Back to Skills Marketplace
Finance Automation
by
Chloe Park
· GitHub ↗
· v0.2.1
1284
Downloads
0
Stars
13
Active Installs
2
Versions
Install in OpenClaw
/install finance-automation
Description
Automates payments, invoices, expenses, and financial reports with Stripe webhooks and real-time Telegram notifications for streamlined finance management.
README (SKILL.md)
Finance Automation
Automate payments, invoices, expenses, and financial reports.
Features
- Payments: Real-time payment recording via Stripe/Lemon Squeezy webhooks
- Invoices: CRUD with auto-numbering, tax calculation, send/paid status management
- Expenses: Submit, approve, reject expenses with category analytics
- Reports: Daily/monthly revenue, MRR, profit reports
- Notifications: Real-time Telegram alerts
Quick Start
cd finance-automation
cp .env.example .env
# Edit .env with your API keys
npm install
npm run db:init
npm run dev
API Endpoints
POST /api/invoices Create invoice
GET /api/invoices List invoices
POST /api/invoices/:id/send Send invoice
POST /api/invoices/:id/mark-paid Mark as paid
POST /api/expenses Add expense
POST /api/expenses/:id/approve Approve expense
POST /api/expenses/:id/reject Reject expense
GET /api/reports/daily Daily revenue + expenses
GET /api/reports/monthly Monthly report
GET /api/reports/summary Period summary
GET /api/reports/mrr Monthly Recurring Revenue
GET /api/reports/profit Profit report
Requirements
- Node.js >= 18
- SQLite3 (default) or PostgreSQL
- Stripe account (for payment webhooks)
Tags
finance, payment, invoice, expense, report, stripe, automation
Usage Guidance
This repository implements the finance automation functionality it advertises, but the registry metadata is incomplete: it declares no required environment variables even though the code and docs require many secrets (Stripe, Lemon Squeezy, Telegram, SMTP, JWT secret, OpenClaw token, DB URL). Before installing or running:
- Treat this as running a networked service that will handle real payments and sensitive data. Run it in an isolated/staging environment, not directly on production systems.
- Do NOT paste or reuse production API keys until you have audited the notification and webhook code (src/services/notification.js and src/webhooks/*). Verify where notifications and outgoing requests are sent.
- Provide explicit environment variables (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SMTP_* , JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL) only after you confirm you trust the code and repository source. The registry metadata should have listed these — its omission is a red flag.
- Replace the default JWT secret (change-this-secret) with a strong secret before exposing the API. Confirm proper rate limits, CORS, and HTTPS are configured for production.
- Review logging/storage behavior (logs/, storage/pdfs, storage/receipts) to ensure no sensitive keys or full payment data are being written to insecure locations or committed to source control; add .env to .gitignore.
- Optionally run the service in a container or with a restricted user, monitor outbound network requests, and perform a quick code review of notification/webhook modules for any unexpected external endpoints.
If you need a safer quick test, use Stripe test keys and a throwaway Telegram bot/token and run locally behind a tunneling tool (ngrok) in a sandbox environment.
Capability Analysis
Type: OpenClaw Skill
Name: finance-automation
Version: 0.2.1
The skill bundle is largely benign, implementing finance automation features. However, the `sendOpenClaw` function in `src/services/notification.js` is designed to send messages to the OpenClaw API. While currently unused in the provided code, if activated and fed user-controlled input, this function could be vulnerable to prompt injection against the OpenClaw agent. This represents a risky capability without clear malicious intent, classifying it as suspicious.
Capability Assessment
Purpose & Capability
The codebase (webhooks, invoice/payment/expense handling, Telegram notifications) is coherent with the advertised purpose (finance automation). However the registry metadata claims no required environment variables or credentials while the code and docs expect many (STRIPE_*, TELEGRAM_*, SMTP_*, JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL, etc.). That metadata omission is a meaningful incoherence.
Instruction Scope
SKILL.md and QUICKSTART instruct the user to copy/edit .env and run npm install / npm run dev, plus use Stripe CLI/ngrok to forward webhooks. The runtime instructions therefore require entering and handling multiple secrets and starting a networked server. The instructions do not ask for unrelated host data, but they do direct the user to deploy a network service that will receive webhooks and transmit notifications externally — this is expected for the skill but the instructions assume providing sensitive credentials without the package metadata declaring them.
Install Mechanism
There is no remote download of arbitrary code: installation is via npm (package.json present) and local scripts (db init). No URL-based extracts or obscure installers were found. This is a normal Node.js project install pattern.
Credentials
The code expects many sensitive environment variables (Stripe keys and webhook secret, Lemon Squeezy keys, TELEGRAM_BOT_TOKEN and CHAT_ID, SMTP credentials, JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL). Those are proportionate to a finance/webhook/notification service, but the registry metadata lists none and the skill does not declare a primary credential. Additionally config.js provides an insecure default JWT secret ('change-this-secret') if JWT_SECRET is not set — a dangerous default for a service protecting financial endpoints.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It creates local storage/log directories and binds to a network port (default 3000) when run; that is expected for a webhook/API service but means the user should run it in a controlled environment. Autonomous model invocation is allowed by default (not a standalone concern here).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install finance-automation - After installation, invoke the skill by name or use
/finance-automation - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Update SKILL.md to English
v0.2.0
- Added support for real-time payment records via Stripe/Lemon Squeezy webhooks.
- Introduced full invoice management: CRUD, automatic numbering, tax calculation, status tracking, and sending.
- Enabled expense submission with approval/rejection workflows and category-based analysis.
- Implemented daily/monthly revenue, MRR, and profit reporting.
- Integrated Telegram real-time notifications for key events.
- Provided expanded API endpoints for invoices, expenses, and reports.
Metadata
Frequently Asked Questions
What is Finance Automation?
Automates payments, invoices, expenses, and financial reports with Stripe webhooks and real-time Telegram notifications for streamlined finance management. It is an AI Agent Skill for Claude Code / OpenClaw, with 1284 downloads so far.
How do I install Finance Automation?
Run "/install finance-automation" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Finance Automation free?
Yes, Finance Automation is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Finance Automation support?
Finance Automation is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Finance Automation?
It is built and maintained by Chloe Park (@chloepark85); the current version is v0.2.1.
More Skills