← 返回 Skills 市场
650
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install starling-bank
功能描述
Manage Starling Bank accounts via the starling-bank-mcp server. Check balances, list transactions, create payees, make payments, manage savings goals, and tr...
安全使用建议
This skill appears to be a legitimate Starling Bank integration, but the runtime instructions and the registry metadata don't match. Before installing or using it: (1) verify the starling-bank-mcp package origin and inspect its source (npm package page / GitHub repo) to ensure it's the expected implementation; (2) confirm you have and trust the mcporter tool the skill expects; (3) do not paste your STARLING_BANK_ACCESS_TOKEN until you verify the package and mcporter invocation; (4) prefer storing sensitive tokens in a secure secrets manager rather than agent memory/config; (5) ask the publisher to update the skill metadata to declare required env vars (STARLING_BANK_ACCESS_TOKEN) and required binaries (mcporter, node/npm) so the declared requirements match the instructions. If you cannot verify the npm package and mcporter behavior, avoid installing or providing credentials.
功能分析
Type: OpenClaw Skill
Name: starling-bank
Version: 1.0.0
The skill is classified as suspicious due to its inherent high-risk capabilities, which include making payments, creating payees, managing savings goals (deposits/withdrawals), and locking/unlocking bank cards, as detailed in `SKILL.md` and `references/api-details.md`. While these actions are explicitly aligned with the stated purpose of 'Manage Starling Bank accounts' and lack clear malicious intent (e.g., no data exfiltration, backdoors, or prompt injection for unauthorized actions), the nature of these financial operations constitutes 'meaningful high-risk behaviors' that prevent a 'benign' classification. The skill transparently instructs the agent to install the `starling-bank-mcp` npm package and configure it with a personal access token, which are standard but still involve external dependencies and sensitive credentials.
能力评估
Purpose & Capability
The name/description match a Starling Bank integration and the SKILL.md describes appropriate API operations. However, the metadata claims no required credentials or binaries while the instructions explicitly require installing the starling-bank-mcp npm package and configuring a STARLING_BANK_ACCESS_TOKEN via mcporter. The omission of these required items from the declared requirements is an inconsistency.
Instruction Scope
The SKILL.md tells the agent/operator to globally install an npm package (starling-bank-mcp), run mcporter commands, and set STARLING_BANK_ACCESS_TOKEN in mcporter config. It also instructs storing accountUid and categoryUid in 'memory/config' for future use. The instructions therefore involve installing third-party code, providing a sensitive token, and persisting account identifiers — none of which are reflected in the skill's declared requirements. The instructions assume the presence of the mcporter tool but the skill metadata does not declare it.
Install Mechanism
There is no platform install spec; instead the SKILL.md instructs the user to run `npm i -g starling-bank-mcp`. Installing a package from the public npm registry is a common approach but carries moderate risk if the package source is unverified. The skill also relies on mcporter (not declared). Because install happens outside the skill bundle, the registry metadata should still accurately declare required binaries/credentials — which it does not.
Credentials
The runtime documentation requires a STARLING_BANK_ACCESS_TOKEN (sensitive credential) and instructs setting it in mcporter's environment, but the skill metadata lists no required env vars nor a primary credential. Asking to persist account IDs in memory/config increases the chance of sensitive data being stored. These credential and persistence expectations are disproportionate relative to the declared metadata and should have been explicitly requested/justified.
Persistence & Privilege
always:false and model invocation defaults are normal. The SKILL.md's recommendation to 'Store account details in your memory/config for future use' implies persistent storage of account identifiers (and possibly use of the token) across sessions. This is a privacy consideration; the skill does not declare how long or where data should be stored, nor how to remove it.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install starling-bank - 安装完成后,直接呼叫该 Skill 的名称或使用
/starling-bank触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: full Starling Bank API integration via mcporter + starling-bank-mcp. Balance, transactions, payments, savings goals, cards, direct debits, standing orders.
元数据
常见问题
Starling Bank 是什么?
Manage Starling Bank accounts via the starling-bank-mcp server. Check balances, list transactions, create payees, make payments, manage savings goals, and tr... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 650 次。
如何安装 Starling Bank?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install starling-bank」即可一键安装,无需额外配置。
Starling Bank 是免费的吗?
是的,Starling Bank 完全免费(开源免费),可自由下载、安装和使用。
Starling Bank 支持哪些平台?
Starling Bank 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Starling Bank?
由 Gpunter(@gpunter)开发并维护,当前版本 v1.0.0。
推荐 Skills