ClawHub

Tally Prime Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is accounting-focused and mostly coherent, but it can create persistent TallyPrime ledger and inventory masters without consistently requiring a separate explicit approval step.

Install only if you are comfortable giving the agent write access to a TallyPrime company. Before use, require the agent to show the exact company, voucher, ledgers, stock items, UOMs, stock groups, godowns, and amounts it will create or post, and approve each master-data creation separately. Prefer testing on a backup or test company first.

SkillSpector (3)

By NVIDIA

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The guidance authorizes creating stock groups, UOMs, stock items, and godowns, which are master-data modifications rather than the stated task of posting entries and generating PDFs. Because these are persistent accounting/inventory changes and the instructions do not require explicit user approval or scope checks, an agent following this file could alter a company's books and inventory structure beyond user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the agent to automatically create missing inventory masters in a fixed order when an item is absent, without any warning, approval gate, or dry-run behavior. In an accounting system, silent creation of masters can pollute catalogs, misclassify goods, and cause downstream posting or tax errors that are difficult to detect and reverse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill provides ready-to-use Import Data XML that creates accounting masters in TallyPrime, but it does not explicitly warn that these operations mutate live accounting data or require user confirmation before execution. In an agent setting, this increases the risk of accidental or unauthorized ledger creation, which can corrupt bookkeeping, misclassify transactions, and create downstream tax/reporting errors.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal