Moxie โ the open-source money agent that acts on your money, only with your approval. Local-first, consent-first.
Project description
๐ฆก Moxie
The open-source money agent that acts โ and never without your say-so.
Moxie doesn't care about a company's excuses. It just gets your money back โ and asks you first, every time.
Named for the honey badger โ small, fearless, famously relentless. It badgers companies until your money comes back.
The whole loop in 30 seconds: scan finds ~$591/yr of waste in the sample data, review shows you each fix and asks first (that n is the point โ you're in control), verify proves the audit log hasn't been touched. Runs on bundled sample data โ no bank, no API key.
Why Moxie exists
AI agents today split into two camps: ones that reach everywhere (OpenClaw) and ones that get smarter over time (Hermes). Neither answers the question that actually matters with your money: what will you let it do when the downside is real?
Look at who already touches your money:
- Receipt & finance organizers (Expensify, Firefly III, Receiptor AI) โ they file and track. They don't act.
- Money-action services (DoNotPay, Rocket Money, Pine AI) โ they act, but as closed black boxes that have burned users' trust (DoNotPay was FTC-fined for overstating its AI; Rocket Money has acted as users without asking).
- ChatGPT + Plaid โ read-only by design: it can spot a subscription to cancel, but it won't cancel it.
Moxie bridges the gap, trust-first. It files your receipts (email + photo), reads your accounts, finds waste and wrong charges, and acts on them โ cancelling, disputing, chasing refunds โ but every action is previewed, approved by you, logged in a tamper-evident audit trail, and backed by the receipt as evidence. It's open-source and local, so you can read every line and your data never has to leave your machine.
Moxie never moves money. It cancels, disputes, and negotiates on your behalf. Paying, transferring, and trading are deliberately out of scope (that's a licensing and liability minefield). See the build spec.
What it does
- ๐งพ Receipt vault โ
moxie receipt photo.jpg(local Tesseract OCR โ images never leave your machine) ormoxie receipt --email(read-only IMAP scan). Parsed, filed, matched to transactions, and attached to disputes as evidence automatically. - ๐ Finds problems โ zombie subscriptions, duplicate/wrong charges, missing refunds, gouge renewals.
- โ
Acts โ with your consent โ drafts the cancellation/dispute, shows it to you (editable), and sends it only when you approve and
MOXIE_LIVE=true. Default is drafts-only. Receipt attached as proof. - ๐ฎ Three action tiers โ email from your own mailbox (SMTP), guided deep-links (Moxie shows the exact cancel page + clicks; you click), and per-merchant browser automation (optional, double-gated, sandboxed).
- ๐ก๏ธ Trust Vault โ deny-by-default policy engine, preview/simulate, approval gates, and a hash-chained, tamper-evident audit log.
- ๐งฉ Community skill library โ reusable "how to cancel with X / dispute with Y" skills, each carrying its own success rate.
- ๐ Local-first & BYO key โ runs on your machine with your own LLM API key, or fully offline with a local model.
Quickstart
# install (from source today; `pip install moxie-agent` once on PyPI)
git clone https://github.com/JacobBrooke1/moxie.git
cd moxie
pip install -e . # or: ./install.sh
# try it with built-in sample data โ no bank, no API key needed
# (Windows: if `moxie` isn't recognized, pip's Scripts dir isn't on PATH โ
# use `python -m moxie <command>` instead; works everywhere)
moxie init
moxie scan # finds issues in sample transactions
moxie review # shows each fix, asks you to approve, then drafts it
moxie log # the tamper-evident audit trail
moxie verify # confirms the log hasn't been altered
moxie doctor # checks your setup: python, key, audit, skills
The demo runs entirely on bundled sample data so you can see the consent-first loop end to end before connecting anything real.
Ready for your real data? Both paths are local and read-only โ nothing leaves your machine:
moxie scan --csv statement.csv # any bank CSV export โ headers auto-detected
moxie scan --pdf statement.pdf # bank statement PDFs (NatWest-style; pip install pypdf)
Or link your bank for automatic read-only imports โ your choice of provider, bring your own (free) credentials:
moxie connect truelayer # UK default (NatWest etc.; free sandbox at console.truelayer.com)
moxie connect gocardless # most generous free tier (bankaccountdata.gocardless.com)
moxie connect plaid # strong US coverage (dashboard.plaid.com)
moxie sync # pull fresh transactions + balances any time
Honesty note: every aggregator is a cloud third party. You hold the provider account (Moxie the project runs no servers), access is read-only AIS โ Moxie cannot move money by construction โ and CSV/PDF remains the fully no-cloud path. UK consents lapse ~90 days; moxie doctor and the dashboard tell you when to re-consent.
Going live (optional โ everything works drafts-only without this): approving an action really sends it only when you flip the flag and configure your own mailbox:
# .env โ your own email account (use an app password, never your real one)
MOXIE_SMTP_HOST=smtp.gmail.com
MOXIE_SMTP_USER=you@gmail.com
MOXIE_SMTP_PASSWORD=your-app-password
MOXIE_LIVE=true # default: false = drafts only
moxie review # ๐ด live: an approved cancel actually emails
moxie kill # panic button: force drafts-only until --release
Cancellations that work better on the merchant's website use guided deep-links: Moxie shows the exact URL and clicks (from the merchant's skill) and you do the final click โ no passwords, no CAPTCHA fights.
โ ๏ธ Status: feature-complete, pre-review. The Trust Vault, live action layer, bank providers, receipts, and the security hardening checklist (encryption at rest, OS keychain, dashboard token/CSRF, rate limiting) are all implemented and tested. What's missing is an independent security review โ until then, use your own judgment with real financial data, keep
MOXIE_LIVEoff unless you've read the code, and see SECURITY.md for exactly where the edges are.
How it works
CAPTURE receipts (email + photo/OCR) + CONNECT accounts (Plaid / CSV, read-only)
โ ORGANIZE file receipts, match to transactions
โ DETECT zombie subs, duplicate charges, missing refunds
โ PROPOSE an action card: "Dispute this $40 double charge? I have the receipt."
โ APPROVE you confirm (because it can't be undone)
โ EXECUTE cancellation / dispute / refund email
โ LOG append-only, hash-chained audit trail with the receipt attached
Nothing in the right-hand column happens without passing the Trust Vault. For the full security model โ the deny-by-default policy engine, the fail-safe consent design, the hash-chain math, and the threat model โ see docs/HOW_IT_WORKS.md.
Why preview-and-approve, not "undo"
Most money actions are one-way โ you can't cleanly un-cancel a subscription or un-send a dispute. So Moxie's safety is before the action (simulate โ approve), not a promise to reverse it after. That's the whole reason consent is mandatory.
Run it 24/7
moxie serve # dashboard + Telegram bot + daily loop, one process
The daily loop re-scans every morning and pings you only when there's something new to decide. A Mac mini at home is the ideal host โ always-on, and your bank data never leaves a machine you own. systemd/launchd units and a Dockerfile ship in deploy/; the full guide is docs/HOSTING.md.
Moxie Dash โ the control plane
moxie dashboard # โ http://127.0.0.1:8484
A local status page in the OpenClaw / Hermes tradition, but money-shaped: heartbeat, brain, Telegram, data, and audit-chain status at a glance, findings with approve/skip (same Trust Vault pipeline), and โ most importantly โ the setup home: paste your API key and BotFather token here, click detect my chat id, and it walks you through Telegram pairing. Keys are written to ~/.moxie/.env on the machine Moxie runs on; the audit log records that setup changed, never the secrets themselves.
It binds to 127.0.0.1 only. Running Moxie on a Mac mini or a VPS? Reach the dash through an SSH tunnel (ssh -L 8484:127.0.0.1:8484 you@host) โ never expose it to the open internet.
The brain & the Telegram channel
Moxie has three layers, and you can stop at any of them:
- Rules (no key needed) โ deterministic, explainable detectors. Everything above runs on these. Eight of them: duplicate charges, zombie subscriptions, trials-that-stuck, price-hike renewals, duplicate services, bank fees, FX fees, and short refunds.
- The brain (bring your own Anthropic key) โ set
MOXIE_API_KEYin a.envfile and ask it things:moxie ask "can I afford ยฃ120 trainers this month?". Answers are grounded in the money picture โ real income, committed subscriptions, and what's genuinely left this month (moxie budgetshows the same figures; balance appears once a bank is linked). It states figures and trade-offs and lets you decide โ it's not a financial adviser and won't pretend to be. Its standing orders live in~/.moxie/instructions.mdโ a plain-English list of what it should do each day. Edit it; that file is the agent. - The offline brain (no key, no cloud) โ run a local model instead: install Ollama,
ollama pull llama3.1, and setMOXIE_MODEL=ollama:llama3.1. Same instructions, same guardrails, zero cloud calls. - The Telegram channel (optional) โ
moxie telegramruns a bot you can text like a PA, plus a daily loop that re-scans and messages you only when there's something new to decide. Decisions are remembered โ skip something once and Moxie won't nag you about it for 60 days.
# .env: TELEGRAM_BOT_TOKEN from @BotFather, then pair:
moxie telegram # message your bot; it replies with your chat id
# put MOXIE_TELEGRAM_CHAT_ID=<that id> in .env, restart, done
Channel security (borrowed from OpenClaw's design): the bot is paired to exactly one chat and ignores everyone else; approvals are two-step (/approve 2, then YES); the brain never executes anything โ every action still passes the Trust Vault; and sensitive setup (keys, bank links) only ever happens on your computer, never over chat.
Privacy & security
- Local-first. Your receipts, transactions, and audit log live on your machine โ encrypted at rest once you run
moxie encrypt on. - Bring your own key. Moxie uses your LLM API key, or a local/offline model (Ollama) + local OCR (Tesseract) so receipt images never touch a cloud service.
moxie secret setkeeps keys in the OS keychain instead of a file. - Least privilege. Bank access is read-only AIS via a provider you choose and own; Moxie never moves money โ it's hard-denied in policy.
- Tamper-evident. The audit log is hash-chained โ any edit to past entries fails
moxie verify.
Security is the precondition for everything else here โ see SECURITY.md.
Built on the OpenClaw / Hermes ecosystem
Moxie deliberately fits the world it came from, so the plumbing is familiar and only the moat is new:
- Language & install โ Python (Hermes is ~82% Python), installed via a one-line
curl โฆ | bashthat prefersuv, exactly like Hermes. - Skills โ the same
SKILL.mdconvention used by OpenClaw and the agentskills.io standard (they live inmoxie/seed_skills/and ship in the package), so skills stay portable and shareable (think ClawHub, but for money-actions). - Familiar CLI โ
moxie doctorand friends echohermes doctor/openclawso anyone from that world feels at home. - Sandboxing โ action execution is designed to run sandboxed (Docker by default, as OpenClaw does for untrusted sessions).
What's not borrowed is the whole point: the Trust Vault (consent-first, tamper-evident) and the money-action layer are ours.
Contributing
The most valuable contribution is skills โ encoded know-how for cancelling/disputing with a specific merchant, bank, or service; they genuinely drive how Moxie acts. See moxie/seed_skills/README.md for the format, CONTRIBUTING.md for good first issues, and integrations/moxie-bridge/ if you want your OpenClaw/Hermes agent to talk to Moxie (look, never touch).
Design
The security model and architecture rationale live in docs/HOW_IT_WORKS.md โ including why Moxie is standalone rather than a skill inside a general-purpose agent, and exactly what the Trust Vault does and doesn't defend against.
License
MIT โ free and open. Use it, fork it, learn from it.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file moxie_agent-0.1.0.tar.gz.
File metadata
- Download URL: moxie_agent-0.1.0.tar.gz
- Upload date:
- Size: 103.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bc7b6eea38e903972d741f87d79a3500d09b783410e1b64ad18f67deba02bb09
|
|
| MD5 |
82e56a0fdd3c29b17586b8393854a980
|
|
| BLAKE2b-256 |
61ed0d34288931ca8ca6b8850c932dd77c948d615c90e67e9f14698617b6ff56
|
Provenance
The following attestation bundles were made for moxie_agent-0.1.0.tar.gz:
Publisher:
release.yml on JacobBrooke1/moxie
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
moxie_agent-0.1.0.tar.gz -
Subject digest:
bc7b6eea38e903972d741f87d79a3500d09b783410e1b64ad18f67deba02bb09 - Sigstore transparency entry: 2053335360
- Sigstore integration time:
-
Permalink:
JacobBrooke1/moxie@ba0cf9404ec6b26f1fbdeff12b3a3ebd035b4eaf -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/JacobBrooke1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@ba0cf9404ec6b26f1fbdeff12b3a3ebd035b4eaf -
Trigger Event:
push
-
Statement type:
File details
Details for the file moxie_agent-0.1.0-py3-none-any.whl.
File metadata
- Download URL: moxie_agent-0.1.0-py3-none-any.whl
- Upload date:
- Size: 87.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
597bed160a837cc3150cc59665886a2759ad0370b7f3e04969cdb40571cf3f98
|
|
| MD5 |
eeda3b739fa53690f9872de4b4cd32d1
|
|
| BLAKE2b-256 |
b4f9c629fa6902c8c8cfa5eda0b8e32e8c9b32cd0916420407386eef6ad7ddb7
|
Provenance
The following attestation bundles were made for moxie_agent-0.1.0-py3-none-any.whl:
Publisher:
release.yml on JacobBrooke1/moxie
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
moxie_agent-0.1.0-py3-none-any.whl -
Subject digest:
597bed160a837cc3150cc59665886a2759ad0370b7f3e04969cdb40571cf3f98 - Sigstore transparency entry: 2053335695
- Sigstore integration time:
-
Permalink:
JacobBrooke1/moxie@ba0cf9404ec6b26f1fbdeff12b3a3ebd035b4eaf -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/JacobBrooke1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@ba0cf9404ec6b26f1fbdeff12b3a3ebd035b4eaf -
Trigger Event:
push
-
Statement type: