copilot-money

[Skill Scanner] Credential file access detected No direct evidence of malware in the provided documentation; the described functionality (reading a refresh token from browser IndexedDB and using it to call Copilot Money's API) is plausible for a personal-finance CLI. However, automatic extraction of tokens from browser storage is a high-sensitivity operation that increases risk: if the package or its updates were compromised, tokens and financial data could be exfiltrated. Recommendation: treat as medium risk until code is reviewed — verify that browser token extraction is implemented safely, that network endpoints are the official Copilot Money API with proper TLS and no intermediary forwarding, and require explicit user consent before scanning browser profiles. Prefer manual token entry if you cannot audit the code. LLM verification: The documented CLI behavior is consistent with legitimate functionality for a Copilot Money client. However, the auto-detection and reading of browser IndexedDB to extract refresh tokens is a sensitive operation that significantly increases credential and supply-chain risk. Combined with an unpinned pip install recommendation and lack of explicit network allowlist or storage-security guarantees, this package should be treated with caution: audit the source and installation artifacts before use,