← Back to Skills Marketplace
ppronobis

openfin-enable-banking

by Prof. Dr. Paul Pronobis · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
313
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openfin-enable-banking
Description
PSD2 Open Banking integration via Enable Banking API. Connect DACH bank accounts (Sparkasse, Volksbank, Deutsche Bank, Commerzbank, DKB, ING, Postbank + Aust...
Usage Guidance
This package implements a legitimate-looking Enable Banking integration, but review and prepare before installing: 1) Provide a config.json with 'applicationId' and 'keyPath' (the private key file must exist and be kept secret). 2) Install Python dependencies (PyJWT, cryptography, requests) and ensure the system 'openssl' binary is available — the callback server uses openssl via subprocess to generate certs but the skill metadata does not declare that dependency. 3) The callback server listens on network interfaces (default 0.0.0.0:8443) and will write files to .keys/, mandanten/, data/, and pending_callbacks/ in the skill directory; run this in an isolated environment and review permissions. 4) The onboarding flow prints an authorization URL to stdout that your agent/operator is expected to forward externally — ensure the channel used to forward it is secure and avoid leaking auth codes. 5) Verify the API base (api.enablebanking.com) and that you intend to register an application with Enable Banking; do not use production private keys with untrusted or third-party code. If you want to proceed, update the skill metadata or documentation to declare the openssl dependency and the file-based config/key requirements, and run the code in a sandbox or VM first.
Capability Analysis
Type: OpenClaw Skill Name: openfin-enable-banking Version: 1.0.0 The skill bundle provides a functional PSD2 banking integration but contains a path traversal vulnerability in `scripts/callback_server.py`. The `state` query parameter from the OAuth callback is used without sanitization to construct a file path (`PENDING_DIR / f'{state}.json'`), which could allow an attacker to write JSON files to arbitrary locations on the filesystem. Furthermore, the callback server binds to `0.0.0.0`, making it accessible over the network, and uses `subprocess.run` to execute `openssl` for certificate generation. While these appear to be unintentional security flaws rather than malicious intent, they represent a significant risk surface.
Capability Assessment
Purpose & Capability
Name/description align with the provided code: the scripts implement onboarding, session renewal, and fetching via the Enable Banking API. Requiring a private key (for JWT) and a config.json file is reasonable for this purpose. However, metadata declares no required binaries or credentials while the code expects on-disk credentials (config.json and a private key referenced by keyPath) and Python dependencies.
Instruction Scope
SKILL.md and the scripts instruct the agent/operator to run local Python scripts and to start a callback server that listens on 0.0.0.0:8443 (HTTPS by default). The callback server auto-generates certs by invoking the system 'openssl' binary via subprocess; this subprocess use and network binding are not declared in the registry metadata. The onboarding flow prints an authorization URL to stdout for the agent to forward externally (WhatsApp/email), which is expected for OAuth but requires the agent to handle potentially sensitive URLs. The scripts also read and write local files (config.json, private key, mandanten/, data/, pending_callbacks/) — all expected but worth noting.
Install Mechanism
There is no remote install step or downloads; code is bundled with the skill and a requirements.txt lists Python libs (PyJWT, cryptography, requests). No external archives or unknown URLs are fetched during install. This reduces install-time risk.
Credentials
The skill does not declare required env vars or credentials, but it requires a config.json containing 'applicationId' and 'keyPath' and expects a private key file on disk. Those file-based credentials are proportionate to generating JWTs for the Enable Banking API. Still, the registry metadata should have documented these required files/binaries (and the need for openssl) so users know what secrets and system tools are necessary.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes files only under its own directory structure (mandanten/, data/, pending_callbacks/, .keys/) and does not modify other skills or global agent configs. It does open a network listener (callback server) that binds to 0.0.0.0 which increases exposure but is within the stated OAuth callback purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openfin-enable-banking
  3. After installation, invoke the skill by name or use /openfin-enable-banking
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of openfin-enable-banking: PSD2 open banking integration for DACH (Germany & Austria) banks. - Supports onboarding, balance/transaction fetch, and session renewal for multiple mandants via Enable Banking API. - Provides Python scripts for onboarding (`onboard.py`), fetching data (`fetch.py`), renewing sessions (`renew.py`), and running a secure callback server. - Designed for automated workflows, including cross-platform and headless operation (manual or server-driven OAuth). - Outputs all bank data as structured JSON, optimized for tax advisory automation. - Clear directory structure and robust troubleshooting guide included. - Supports both personal and business accounts for major DACH banks.
Metadata
Slug openfin-enable-banking
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is openfin-enable-banking?

PSD2 Open Banking integration via Enable Banking API. Connect DACH bank accounts (Sparkasse, Volksbank, Deutsche Bank, Commerzbank, DKB, ING, Postbank + Aust... It is an AI Agent Skill for Claude Code / OpenClaw, with 313 downloads so far.

How do I install openfin-enable-banking?

Run "/install openfin-enable-banking" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is openfin-enable-banking free?

Yes, openfin-enable-banking is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does openfin-enable-banking support?

openfin-enable-banking is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created openfin-enable-banking?

It is built and maintained by Prof. Dr. Paul Pronobis (@ppronobis); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments