Bundle Pluginsource linked
Yoshi Financev1.3.2
Yoshi Finance — personal financial intelligence for OpenClaw. Includes setup, spending analysis, debt optimization, budget planning, goal tracking, and more.
openclaw bundles install clawhub:yoshi-financeLatest release: v1.3.2Download zip
Capabilities
- Bundle format
- generic
- Host targets
- openclaw
- Runtime ID
- yoshi-finance
Compatibility
- Built With Open Claw Version
- 1.3.2
- Min Gateway Version
- 2026.3.24
- Plugin Api Range
- >=2026.3.24
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (personal finance: setup, spending analysis, budgeting, goals, investments, debt optimization) match the included SKILL.md files and the small extension bootstrap. The tasks and required CLI tools (mcporter, curl, jq, openclaw) are coherent with performing an OAuth MCP setup and calling the Yoshi API; nothing requests unrelated cloud/provider credentials or unrelated system access.
Instruction Scope
Most runtime SKILL.md files only describe calling Yoshi MCP tools and explicitly claim they do not store user data on disk. However, the yoshi-setup skill contains detailed instructions that write sensitive state to disk (~/.yoshi-mcp-state.json), create an executable refresh script (~/.yoshi-mcp-refresh.sh), set restrictive permissions, and add a cron entry. Those setup actions are within the scope of establishing persistent OAuth access, but they contradict the repeated 'does not store any data on disk' reassurance in other skills and materially expand the agent's actions beyond in-conversation reads.
Install Mechanism
This is an instruction-only skill with no install spec and a tiny no-op extension file. That minimizes installer risk. The setup flow suggests installing mcporter via npm if missing (npm install -g mcporter) — installing a third-party CLI is expected for the local OAuth flow but is an external dependency the user should validate before running.
Credentials
The bundle does not require unrelated environment variables. It does, however, instruct storing and using sensitive credentials (access_token and refresh_token) in a local state file and updating the OpenClaw MCP config with a bearer token. Storing those tokens is necessary for the intended persistent MCP connection, but it is sensitive and should be done intentionally by the user. No other unrelated secrets are requested.
Persistence & Privilege
The setup flow creates persistent artifacts (state file, refresh script) and schedules a cron job to run every 45 minutes. Although this persistence is justifiable for token refresh, it does modify the user's crontab and home directory. The skill is not marked always:true and does not autonomously install itself, but it does ask the user to enable ongoing background refresh behavior which increases its persistence and potential blast radius if misused.
Assessment
This plugin is internally coherent for a personal-finance connector: the analysis and workflow skills call a Yoshi MCP API as advertised. Key things to consider before installing: 1) The yoshi-setup skill will store OAuth tokens (access_token and refresh_token) in ~/.yoshi-mcp-state.json and create ~/.yoshi-mcp-refresh.sh plus a cron entry to refresh tokens. These are sensitive artifacts — inspect the exact files, their permissions, and the cron job before running them. 2) The setup suggests installing third-party CLIs (mcporter via npm); verify the upstream project and package source before npm installing globally. 3) If you run OpenClaw on a hosted server, the manual flow will result in long-lived tokens on that server; consider whether you prefer the local mcporter flow instead or to keep refresh scripts under your own control. 4) Confirm the domain used (agents.yoshi.ai) is the expected service for your usage. 5) If you want additional assurance, ask the maintainer for a signed release, or run the setup steps manually line-by-line rather than blindly pasting the provided scripts/cron entry.Verification
- Tier
- source linked
- Scope
- artifact only
- Summary
- Validated package structure and linked the release to source metadata.
- Commit
- d58c4a136015
- Tag
- d58c4a136015411cb9949b8675a40ccc1160e799
- Provenance
- No
- Scan status
- clean
Tags
- latest
- 1.3.2