using-openspend-cli

This skill is an installation and usage guide for the openspend CLI. The primary security concern is a download-and-execute installation pattern (curl | sh) fetching a script from openspend.ai with no integrity verification — a high-risk supply-chain pattern. Using a third-party Homebrew tap and an update command increases the trust surface. There is no direct evidence in the provided text of credential exfiltration, backdoors, or obfuscated malicious code, but the installer and updater behaviors mean a compromised installer or update server could execute arbitrary code or exfiltrate tokens stored under ~/.config/openspend/config.toml. Recommend treating the curl|sh instruction as high risk: prefer installing from vetted package sources, require checksums/signatures for installers, audit the installer script before running, and review the CLI's network behavior and token storage.

The code constitutes a high-risk remote installer fetch-and-run pattern. It should be avoided or protected with integrity verification (e.g., sha256sum, PGP signature), hostname pinning, or using a trusted package manager with verified artifacts.