Is andreolf/watch-my-money safe?

The skill's core function requires the agent to parse and reason over complete bank/card transaction exports including merchant names, amounts, dates, and account balances. This data passes through the LLM context window where it is subject to the security posture of the agent runtime and any other co-active skills. The skill does not attempt to exfiltrate this data, but users should understand the privacy implications of feeding financial records to an AI agent.

The CLI commands section instructs the agent to invoke python -m watch_my_money with various subcommands, but no Python package is shipped in the skill bundle. The agent must either write the implementation itself (introducing code-generation risk) or assume the module exists on the user's system. This ambiguity means the skill's behavior at runtime depends heavily on how the hosting agent interprets the gap.

The skill instructs the agent to create and maintain ~/.watch_my_money/ containing state.json, monthly JSON reports, and HTML reports. While this is standard behavior for a personal finance tool and is explicitly disclosed, it creates a long-lived corpus of sensitive financial data in a predictable home-directory location accessible to any other process or skill running as the same user.

The skill instructs the agent to ask the user to confirm categories for ambiguous merchants and save overrides for future runs. If a user or attacker pastes crafted transaction descriptions containing prompt-injection payloads, those payloads would be surfaced to the agent during the categorization confirmation step. This is a low-risk theoretical vector since the skill itself does not introduce it, but hosts should be aware.

The installation process cloned from https://github.com/openclaw/skills.git (140.82.121.3:443), performed a sparse checkout of the skill subpath, copied files, and cleaned up the clone. No other external network destinations were contacted. Connection state was unchanged after install.