← 返回 Skills 市场

Finance Automation

Name: Finance Automation
Author: chloepark85

作者 Chloe Park · GitHub ↗ · v0.2.1

cross-platform ⚠ suspicious

1284

总下载

当前安装

版本数

在 OpenClaw 中安装

/install finance-automation

功能描述

Automates payments, invoices, expenses, and financial reports with Stripe webhooks and real-time Telegram notifications for streamlined finance management.

使用说明 (SKILL.md)

Finance Automation

Automate payments, invoices, expenses, and financial reports.

Features

Payments: Real-time payment recording via Stripe/Lemon Squeezy webhooks
Invoices: CRUD with auto-numbering, tax calculation, send/paid status management
Expenses: Submit, approve, reject expenses with category analytics
Reports: Daily/monthly revenue, MRR, profit reports
Notifications: Real-time Telegram alerts

Quick Start

cd finance-automation
cp .env.example .env
# Edit .env with your API keys
npm install
npm run db:init
npm run dev

API Endpoints

POST   /api/invoices              Create invoice
GET    /api/invoices              List invoices
POST   /api/invoices/:id/send     Send invoice
POST   /api/invoices/:id/mark-paid Mark as paid

POST   /api/expenses              Add expense
POST   /api/expenses/:id/approve  Approve expense
POST   /api/expenses/:id/reject   Reject expense

GET    /api/reports/daily          Daily revenue + expenses
GET    /api/reports/monthly        Monthly report
GET    /api/reports/summary        Period summary
GET    /api/reports/mrr            Monthly Recurring Revenue
GET    /api/reports/profit         Profit report

Requirements

Node.js >= 18
SQLite3 (default) or PostgreSQL
Stripe account (for payment webhooks)

Tags

finance, payment, invoice, expense, report, stripe, automation

安全使用建议

This repository implements the finance automation functionality it advertises, but the registry metadata is incomplete: it declares no required environment variables even though the code and docs require many secrets (Stripe, Lemon Squeezy, Telegram, SMTP, JWT secret, OpenClaw token, DB URL). Before installing or running: - Treat this as running a networked service that will handle real payments and sensitive data. Run it in an isolated/staging environment, not directly on production systems. - Do NOT paste or reuse production API keys until you have audited the notification and webhook code (src/services/notification.js and src/webhooks/*). Verify where notifications and outgoing requests are sent. - Provide explicit environment variables (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, SMTP_* , JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL) only after you confirm you trust the code and repository source. The registry metadata should have listed these — its omission is a red flag. - Replace the default JWT secret (change-this-secret) with a strong secret before exposing the API. Confirm proper rate limits, CORS, and HTTPS are configured for production. - Review logging/storage behavior (logs/, storage/pdfs, storage/receipts) to ensure no sensitive keys or full payment data are being written to insecure locations or committed to source control; add .env to .gitignore. - Optionally run the service in a container or with a restricted user, monitor outbound network requests, and perform a quick code review of notification/webhook modules for any unexpected external endpoints. If you need a safer quick test, use Stripe test keys and a throwaway Telegram bot/token and run locally behind a tunneling tool (ngrok) in a sandbox environment.

功能分析

Type: OpenClaw Skill Name: finance-automation Version: 0.2.1 The skill bundle is largely benign, implementing finance automation features. However, the `sendOpenClaw` function in `src/services/notification.js` is designed to send messages to the OpenClaw API. While currently unused in the provided code, if activated and fed user-controlled input, this function could be vulnerable to prompt injection against the OpenClaw agent. This represents a risky capability without clear malicious intent, classifying it as suspicious.

能力评估

ℹ Purpose & Capability

The codebase (webhooks, invoice/payment/expense handling, Telegram notifications) is coherent with the advertised purpose (finance automation). However the registry metadata claims no required environment variables or credentials while the code and docs expect many (STRIPE_*, TELEGRAM_*, SMTP_*, JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL, etc.). That metadata omission is a meaningful incoherence.

⚠ Instruction Scope

SKILL.md and QUICKSTART instruct the user to copy/edit .env and run npm install / npm run dev, plus use Stripe CLI/ngrok to forward webhooks. The runtime instructions therefore require entering and handling multiple secrets and starting a networked server. The instructions do not ask for unrelated host data, but they do direct the user to deploy a network service that will receive webhooks and transmit notifications externally — this is expected for the skill but the instructions assume providing sensitive credentials without the package metadata declaring them.

✓ Install Mechanism

There is no remote download of arbitrary code: installation is via npm (package.json present) and local scripts (db init). No URL-based extracts or obscure installers were found. This is a normal Node.js project install pattern.

⚠ Credentials

The code expects many sensitive environment variables (Stripe keys and webhook secret, Lemon Squeezy keys, TELEGRAM_BOT_TOKEN and CHAT_ID, SMTP credentials, JWT_SECRET, OPENCLAW_TOKEN, DATABASE_URL). Those are proportionate to a finance/webhook/notification service, but the registry metadata lists none and the skill does not declare a primary credential. Additionally config.js provides an insecure default JWT secret ('change-this-secret') if JWT_SECRET is not set — a dangerous default for a service protecting financial endpoints.

ℹ Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills. It creates local storage/log directories and binds to a network port (default 3000) when run; that is expected for a webhook/API service but means the user should run it in a controlled environment. Autonomous model invocation is allowed by default (not a standalone concern here).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install finance-automation
安装完成后，直接呼叫该 Skill 的名称或使用 /finance-automation 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.2.1

Update SKILL.md to English

v0.2.0

- Added support for real-time payment records via Stripe/Lemon Squeezy webhooks. - Introduced full invoice management: CRUD, automatic numbering, tax calculation, status tracking, and sending. - Enabled expense submission with approval/rejection workflows and category-based analysis. - Implemented daily/monthly revenue, MRR, and profit reporting. - Integrated Telegram real-time notifications for key events. - Provided expanded API endpoints for invoices, expenses, and reports.

元数据

Slug finance-automation

版本 0.2.1

许可证 —

累计安装 13

当前安装数 13

历史版本数 2

常见问题