← Back to Skills Marketplace
650
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install starling-bank
Description
Manage Starling Bank accounts via the starling-bank-mcp server. Check balances, list transactions, create payees, make payments, manage savings goals, and tr...
Usage Guidance
This skill appears to be a legitimate Starling Bank integration, but the runtime instructions and the registry metadata don't match. Before installing or using it: (1) verify the starling-bank-mcp package origin and inspect its source (npm package page / GitHub repo) to ensure it's the expected implementation; (2) confirm you have and trust the mcporter tool the skill expects; (3) do not paste your STARLING_BANK_ACCESS_TOKEN until you verify the package and mcporter invocation; (4) prefer storing sensitive tokens in a secure secrets manager rather than agent memory/config; (5) ask the publisher to update the skill metadata to declare required env vars (STARLING_BANK_ACCESS_TOKEN) and required binaries (mcporter, node/npm) so the declared requirements match the instructions. If you cannot verify the npm package and mcporter behavior, avoid installing or providing credentials.
Capability Analysis
Type: OpenClaw Skill
Name: starling-bank
Version: 1.0.0
The skill is classified as suspicious due to its inherent high-risk capabilities, which include making payments, creating payees, managing savings goals (deposits/withdrawals), and locking/unlocking bank cards, as detailed in `SKILL.md` and `references/api-details.md`. While these actions are explicitly aligned with the stated purpose of 'Manage Starling Bank accounts' and lack clear malicious intent (e.g., no data exfiltration, backdoors, or prompt injection for unauthorized actions), the nature of these financial operations constitutes 'meaningful high-risk behaviors' that prevent a 'benign' classification. The skill transparently instructs the agent to install the `starling-bank-mcp` npm package and configure it with a personal access token, which are standard but still involve external dependencies and sensitive credentials.
Capability Assessment
Purpose & Capability
The name/description match a Starling Bank integration and the SKILL.md describes appropriate API operations. However, the metadata claims no required credentials or binaries while the instructions explicitly require installing the starling-bank-mcp npm package and configuring a STARLING_BANK_ACCESS_TOKEN via mcporter. The omission of these required items from the declared requirements is an inconsistency.
Instruction Scope
The SKILL.md tells the agent/operator to globally install an npm package (starling-bank-mcp), run mcporter commands, and set STARLING_BANK_ACCESS_TOKEN in mcporter config. It also instructs storing accountUid and categoryUid in 'memory/config' for future use. The instructions therefore involve installing third-party code, providing a sensitive token, and persisting account identifiers — none of which are reflected in the skill's declared requirements. The instructions assume the presence of the mcporter tool but the skill metadata does not declare it.
Install Mechanism
There is no platform install spec; instead the SKILL.md instructs the user to run `npm i -g starling-bank-mcp`. Installing a package from the public npm registry is a common approach but carries moderate risk if the package source is unverified. The skill also relies on mcporter (not declared). Because install happens outside the skill bundle, the registry metadata should still accurately declare required binaries/credentials — which it does not.
Credentials
The runtime documentation requires a STARLING_BANK_ACCESS_TOKEN (sensitive credential) and instructs setting it in mcporter's environment, but the skill metadata lists no required env vars nor a primary credential. Asking to persist account IDs in memory/config increases the chance of sensitive data being stored. These credential and persistence expectations are disproportionate relative to the declared metadata and should have been explicitly requested/justified.
Persistence & Privilege
always:false and model invocation defaults are normal. The SKILL.md's recommendation to 'Store account details in your memory/config for future use' implies persistent storage of account identifiers (and possibly use of the token) across sessions. This is a privacy consideration; the skill does not declare how long or where data should be stored, nor how to remove it.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install starling-bank - After installation, invoke the skill by name or use
/starling-bank - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: full Starling Bank API integration via mcporter + starling-bank-mcp. Balance, transactions, payments, savings goals, cards, direct debits, standing orders.
Metadata
Frequently Asked Questions
What is Starling Bank?
Manage Starling Bank accounts via the starling-bank-mcp server. Check balances, list transactions, create payees, make payments, manage savings goals, and tr... It is an AI Agent Skill for Claude Code / OpenClaw, with 650 downloads so far.
How do I install Starling Bank?
Run "/install starling-bank" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Starling Bank free?
Yes, Starling Bank is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Starling Bank support?
Starling Bank is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Starling Bank?
It is built and maintained by Gpunter (@gpunter); the current version is v1.0.0.
More Skills