ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Accounting Assistant

v1.0.0

Buchhaltungs-Automatisierung mit EÜR-Erstellung, DATEV-Export, PDF-Beleganalyse und Steuer-Vorbereitung. Ideal für Freelancer und KMU.

0· 46·0 current·0 all-time
by@akkualle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts (PDF invoice analysis, EÜR, DATEV export, invoice generation). However the package metadata declares no required binaries or packages while the code clearly needs external tools (pdftotext) and Python libraries (fpdf). This mismatch is unexpected and should be clarified before use.
!
Instruction Scope
SKILL.md only shows running the Python scripts, which is consistent. The scripts themselves perform filesystem operations (walking folders, reading PDFs, writing outputs), invoke a local binary via subprocess (pdftotext), and create files (rechnungen/ outputs, CSV). They do not make network calls, but they will read arbitrary paths the user passes in — a user or agent could inadvertently point them at broad directories and cause wide data access. The SKILL.md does not warn about these filesystem effects or list the external binary/library requirements.
!
Install Mechanism
There is no install specification, which avoids arbitrary remote downloads (good), but the code depends on pdftotext (external binary from poppler) and the Python package 'fpdf' — neither is declared in the metadata or SKILL.md. That omission is a practical risk: running the scripts will fail or behave unexpectedly if these dependencies are missing, and the user/agent may try to install them ad-hoc.
Credentials
The skill requests no environment variables or credentials. The code contains hard-coded example contact and bank fields (IBAN, email, phone) for the author's company, but these are static strings (likely placeholders) and not secrets requested from the environment.
Persistence & Privilege
The skill does not request persistent privileges and 'always' is false. It writes output files under local directories (e.g., 'rechnungen/') which is expected behavior for an accounting tool and does not modify other skills or global agent settings.
What to consider before installing
This skill contains working scripts for PDF invoice analysis, EÜR and DATEV export and invoice generation, but the package metadata omits required runtime components. Before installing or running: 1) Review and test in an isolated environment (VM or container). 2) Install dependencies manually: ensure pdftotext (poppler) is available on PATH and pip-install the fpdf package (and any other Python packages your environment requires). 3) Inspect hard-coded values (IBAN, emails, company names) and change them if they expose private data or placeholders. 4) When running the analyzer, pass a specific folder or file — avoid pointing it at system root or broad directories to prevent accidental scanning of unrelated PDFs. 5) Confirm output files go to expected local directories and no network activity is performed. If you need higher assurance, ask the author for an explicit dependency list and a manifest or run a security audit on the scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk979yvv2f7dxqrj4h44kq72ab183rh6t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments