Is davideasaf/monarch-money safe?

MONARCH_MFA_SECRET is the raw base32 TOTP seed — the cryptographic root from which an unlimited number of valid 6-digit MFA codes can be derived at any time. Unlike a temporary OTP, this secret never rotates unless the user explicitly resets MFA. Storing it in an environment variable makes it readable by any code executing in the same agent process, including other co-installed skills, allowing persistent full authentication capability to the user's Monarch Money account.

The skill ships two files specifically engineered to circumvent Monarch Money's anti-automation protections: CaptchaAvoidanceService.ts and DirectAuthenticationService.ts. This indicates the author anticipated and designed around the platform's active blocking of programmatic access. Using these techniques violates Monarch Money's Terms of Service, risks account suspension or legal exposure, and signals that the skill is intended for use in contexts the platform explicitly prohibits.

Authenticated session tokens are written to ~/.mm/session.json. While encrypted with crypto-js AES, the encryption key derivation is not visible in the reviewed code. If the key is static, derived from a predictable value, or hardcoded, any process running as the same OS user — including other installed skills — can read the file and potentially decrypt or replay the session token to authenticate as the user against Monarch Money's API.

When active, this skill provides the agent unrestricted read access to the user's complete financial history (all transactions, balances, institutions, budgets) and write access to modify transaction metadata (categories, notes, merchant names). An agent that has been prompt-injected, misconfigured, or behaves unexpectedly can silently read sensitive spending patterns or alter financial records without explicit per-operation user approval.

The user's Monarch Money account email and password must be set as plaintext environment variables (MONARCH_EMAIL, MONARCH_PASSWORD). All code executing within the agent's process — including third-party skills — can trivially read these values via process.env, enabling credential theft without any filesystem access or network activity.

The git clone operation connected only to GitHub (140.82.121.3:443, the openclaw/skills repository). All other network activity during the install window was Ubuntu/Canonical infrastructure (91.189.91.49, 185.125.188.54, 185.125.188.59) consistent with normal OS apt and motd update traffic. No DNS queries to attacker-controlled domains and no unexpected outbound connections were observed.

Six canary files were read during the monitoring window. The first batch (epoch 1771939263, 13:21:03) occurred before the git clone started (13:21:09), confirming these are the OATHE pre-install baseline reads. The second batch (epoch 1771939281) occurred after file enumeration by the audit system and matches the pattern of a post-install integrity check. No EXECVE records link these reads to skill-authored processes. All files remain intact and unmodified.

The full SKILL.md was reviewed. Content consists entirely of legitimate CLI usage documentation: environment variable requirements, command syntax, workflow examples, and error handling guidance. No instructions to override system prompts, suppress output, fetch external URLs, adopt personas, or chain with other skills were found. No steganographic tricks (invisible unicode, HTML comments, zero-width characters) were detected.