← 返回 Skills 市场
ppronobis

openfin-enable-banking

作者 Prof. Dr. Paul Pronobis · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
313
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openfin-enable-banking
功能描述
PSD2 Open Banking integration via Enable Banking API. Connect DACH bank accounts (Sparkasse, Volksbank, Deutsche Bank, Commerzbank, DKB, ING, Postbank + Aust...
安全使用建议
This package implements a legitimate-looking Enable Banking integration, but review and prepare before installing: 1) Provide a config.json with 'applicationId' and 'keyPath' (the private key file must exist and be kept secret). 2) Install Python dependencies (PyJWT, cryptography, requests) and ensure the system 'openssl' binary is available — the callback server uses openssl via subprocess to generate certs but the skill metadata does not declare that dependency. 3) The callback server listens on network interfaces (default 0.0.0.0:8443) and will write files to .keys/, mandanten/, data/, and pending_callbacks/ in the skill directory; run this in an isolated environment and review permissions. 4) The onboarding flow prints an authorization URL to stdout that your agent/operator is expected to forward externally — ensure the channel used to forward it is secure and avoid leaking auth codes. 5) Verify the API base (api.enablebanking.com) and that you intend to register an application with Enable Banking; do not use production private keys with untrusted or third-party code. If you want to proceed, update the skill metadata or documentation to declare the openssl dependency and the file-based config/key requirements, and run the code in a sandbox or VM first.
功能分析
Type: OpenClaw Skill Name: openfin-enable-banking Version: 1.0.0 The skill bundle provides a functional PSD2 banking integration but contains a path traversal vulnerability in `scripts/callback_server.py`. The `state` query parameter from the OAuth callback is used without sanitization to construct a file path (`PENDING_DIR / f'{state}.json'`), which could allow an attacker to write JSON files to arbitrary locations on the filesystem. Furthermore, the callback server binds to `0.0.0.0`, making it accessible over the network, and uses `subprocess.run` to execute `openssl` for certificate generation. While these appear to be unintentional security flaws rather than malicious intent, they represent a significant risk surface.
能力评估
Purpose & Capability
Name/description align with the provided code: the scripts implement onboarding, session renewal, and fetching via the Enable Banking API. Requiring a private key (for JWT) and a config.json file is reasonable for this purpose. However, metadata declares no required binaries or credentials while the code expects on-disk credentials (config.json and a private key referenced by keyPath) and Python dependencies.
Instruction Scope
SKILL.md and the scripts instruct the agent/operator to run local Python scripts and to start a callback server that listens on 0.0.0.0:8443 (HTTPS by default). The callback server auto-generates certs by invoking the system 'openssl' binary via subprocess; this subprocess use and network binding are not declared in the registry metadata. The onboarding flow prints an authorization URL to stdout for the agent to forward externally (WhatsApp/email), which is expected for OAuth but requires the agent to handle potentially sensitive URLs. The scripts also read and write local files (config.json, private key, mandanten/, data/, pending_callbacks/) — all expected but worth noting.
Install Mechanism
There is no remote install step or downloads; code is bundled with the skill and a requirements.txt lists Python libs (PyJWT, cryptography, requests). No external archives or unknown URLs are fetched during install. This reduces install-time risk.
Credentials
The skill does not declare required env vars or credentials, but it requires a config.json containing 'applicationId' and 'keyPath' and expects a private key file on disk. Those file-based credentials are proportionate to generating JWTs for the Enable Banking API. Still, the registry metadata should have documented these required files/binaries (and the need for openssl) so users know what secrets and system tools are necessary.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes files only under its own directory structure (mandanten/, data/, pending_callbacks/, .keys/) and does not modify other skills or global agent configs. It does open a network listener (callback server) that binds to 0.0.0.0 which increases exposure but is within the stated OAuth callback purpose.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openfin-enable-banking
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openfin-enable-banking 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of openfin-enable-banking: PSD2 open banking integration for DACH (Germany & Austria) banks. - Supports onboarding, balance/transaction fetch, and session renewal for multiple mandants via Enable Banking API. - Provides Python scripts for onboarding (`onboard.py`), fetching data (`fetch.py`), renewing sessions (`renew.py`), and running a secure callback server. - Designed for automated workflows, including cross-platform and headless operation (manual or server-driven OAuth). - Outputs all bank data as structured JSON, optimized for tax advisory automation. - Clear directory structure and robust troubleshooting guide included. - Supports both personal and business accounts for major DACH banks.
元数据
Slug openfin-enable-banking
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

openfin-enable-banking 是什么?

PSD2 Open Banking integration via Enable Banking API. Connect DACH bank accounts (Sparkasse, Volksbank, Deutsche Bank, Commerzbank, DKB, ING, Postbank + Aust... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 313 次。

如何安装 openfin-enable-banking?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openfin-enable-banking」即可一键安装,无需额外配置。

openfin-enable-banking 是免费的吗?

是的,openfin-enable-banking 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

openfin-enable-banking 支持哪些平台?

openfin-enable-banking 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 openfin-enable-banking?

由 Prof. Dr. Paul Pronobis(@ppronobis)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论