Is jayhickey/copilot-money safe?
https://github.com/openclaw/skills/tree/main/skills/jayhickey/copilot-money
The copilot-money skill is a documentation-only SKILL.md with no prompt injection, hidden instructions, or malicious code — the install was clean with no unexpected network activity or canary file compromise. However, the skill instructs agents to install an unofficial, non-affiliated PyPI package (copilot-money-cli) that reads browser IndexedDB storage broadly across all supported browsers to extract session tokens, and then exposes comprehensive personal financial data (balances, transactions, holdings, net worth) through the agent context. The primary risks are indirect: supply chain trust in an unofficial package with broad browser access, and the sensitivity of financial data flowing through an agent that may have other skills with outbound capabilities.
Category Scores
Findings (6)
HIGH Unofficial CLI reads broad browser IndexedDB storage -30 ▶
The skill instructs installation of copilot-money-cli, an unofficial third-party Python package explicitly not affiliated with Copilot Money. The package's browser token extraction reads IndexedDB databases from Chrome, Safari, Firefox, and Arc browser profiles. IndexedDB is a general-purpose browser storage mechanism used by many web applications; the extraction is not cryptographically scoped to Copilot Money's namespace, meaning the tool has access to session state for any site stored in the same browser profile.
HIGH Highly sensitive financial data flows through agent context -12 ▶
The skill exposes a complete personal financial picture to the agent: account numbers and balances, recent transaction history, investment holdings grouped by type/account/symbol, asset allocation breakdowns, and net worth calculations. This volume of financial data in an agent context creates meaningful privacy risk if the agent is running other skills with outbound network capabilities or if conversation logs are stored.
MEDIUM pip install of unofficial third-party package -28 ▶
The skill instructs the agent to run pip install copilot-money-cli. This package is unofficial, non-affiliated, and its PyPI publication cannot be verified as secure through skill review alone. The package executes with full user-level OS access including browser profile directory traversal. Supply chain compromise of this package would give an attacker access to browser session tokens and financial data with no indication in the SKILL.md.
MEDIUM Browser token extraction scope exceeds stated purpose -40 ▶
The config init command scans supported browser profiles broadly. A user who invokes the skill to check account balances triggers broad browser storage access as a side effect of authentication. Combined with any skill that can write files or make HTTP requests, the browser tokens obtained could be relayed externally. The risk is compounded by the fact that the installed CLI persists the token at ~/.config/copilot-money/config.json, leaving a credential artifact on disk.
LOW Broad skill trigger description may cause unintended activation -10 ▶
The skill description triggers on 'finances, account balances, recent transactions, net worth, investment allocation, or wants to sync/refresh bank data' — a wide surface area that could activate the skill during general financial conversations, potentially prompting pip install or bank refresh operations without explicit user intent.
INFO Install monitoring clean — no unexpected network or filesystem activity -5 ▶
Network monitoring shows only expected connections to GitHub for repo clone (140.82.121.4:443) and Ubuntu infrastructure for system updates. No DNS queries to suspicious domains, no unexpected process spawning, and filesystem changes confined to the skill install directory. Connection diff confirms no persistent new connections post-install.