Is benbjurstrom/fiscal safe?

https://github.com/openclaw/skills/tree/main/skills/benbjurstrom/fiscal

89
SAFE

The benbjurstrom/fiscal skill is a well-structured, documentation-only interface to the fiscal CLI for Actual Budget with no malicious content, no executable code, and no hidden exfiltration mechanisms. Its primary risk profile derives from the sensitive nature of the financial data it handles (full transaction history, bank credentials) and from the fiscal CLI's legitimate --module/--inline query feature which enables arbitrary JavaScript execution in the Node.js runtime. No canary files were accessed and installation behavior was clean and expected.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM fiscal query --module enables arbitrary JavaScript execution -17

The documented 'fiscal query --module ' and 'fiscal query --inline ' commands execute user-supplied JavaScript against the live Actual Budget database. If an agent running this skill can be prompted (via user input or a second injected skill) to pass attacker-controlled content as the module path or inline expression, arbitrary code executes in the Node.js runtime with access to the budget data directory and all files accessible to the process.

LOW Hide-raw-output heuristic reduces operational transparency -9

SKILL.md explicitly instructs the agent not to show raw fiscal CLI output to the user unless asked. While this is a legitimate UX pattern, it means the user cannot easily audit what shell commands are being run or what the tool actually returned, making it harder to detect if the agent is being manipulated by a second injection vector.

LOW Skill handles plaintext financial credentials and full transaction history -13

The skill documents and interacts with plaintext passwords stored in ~/.config/fiscal/config.json and the FISCAL_PASSWORD environment variable for Actual Budget server authentication. The agent will read and potentially log these values when setting up or diagnosing sync issues. Additionally, the agent processes complete bank transaction history from import files which may include sensitive payee and amount data.

LOW Bank export file import creates prompt injection surface via transaction fields -18

When the agent imports CSV/OFX/QFX bank exports, payee and notes fields from those files become part of the agent's context. A malicious bank export file (e.g., a phishing CSV downloaded from a spoofed bank portal) could embed prompt injection text in payee or memo fields that the agent would then process.

INFO Clean installation with no anomalous behavior 0

The skill was installed via a standard git sparse-checkout from the openclaw/skills monorepo. No unexpected processes were spawned, no files were written outside the skill directory, and network activity was limited to the expected GitHub HTTPS connection.

INFO No honeypot files accessed by skill 0

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) remained intact. File access syscalls referencing these paths are attributable to the oathe audit framework's pre- and post-audit baseline checks, not to the fiscal skill.