ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fin Audit Automator

v1.2.0

金融合规审计自动化技能。支持反洗钱 (AML) 监测、关联交易识别、发票合规性校验、监管报表自动生成。内置中国金融监管规则库(人行/银保监/证监会),所有数据处理均在本地沙箱完成,支持审计日志不可篡改。

0· 72·0 current·0 all-time
byjoe@andyxcg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (local AML, invoice validation, report generation) matches the code functionality. However, index.py reads SKILLPAY_API_KEY and SKILLPAY_SKILL_ID from the environment (billing/telemetry) even though the registry metadata declares no required env vars. package.json lists dependencies (sqlalchemy, cryptography, jieba) that are not used in the runtime code, which is disproportionate to the stated functionality and suggests sloppy/incorrect metadata.
!
Instruction Scope
SKILL.md repeatedly asserts 'all data processed locally', 'network isolation', 'whitelist-only network' and 'immutable audit logs'. The code does write local audit logs and performs local AML/OCR mocks, but the sandbox implementation does not actually enforce network isolation (it merely clears proxy env vars) and does not block sockets or external requests. The 'immutable' audit log is a simple append with a short hash per line stored under ~/.openclaw and can be modified by any process/user with file access — the claim of tamper-proof logs is unsupported by the code. The skill also writes trial/subscription state to ~/.openclaw without declaring those paths in metadata.
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain risk. However, the package includes multiple Python modules (not purely instruction-only). No external downloads or URLs are used. Because code files are included but no install instructions are declared, users should be aware files will be executed from the package as-is if installed or invoked.
!
Credentials
Metadata lists no required env vars, yet index.py reads SKILLPAY_API_KEY and SKILLPAY_SKILL_ID. The skill creates files under the user's home (~/.openclaw/...) although 'required config paths' were declared none. The dependency list includes packages not used by the code (sqlalchemy, cryptography, jieba), increasing the attack surface unnecessarily. No other credentials appear to be read, and there are no network endpoints hard-coded, but the undeclared env usage and file writes are disproportionate to the declared requirements.
!
Persistence & Privilege
The skill is not marked always:true (good), but it persists state and logs under ~/.openclaw (audit_chain.log, skill_trial, subscriptions). These config paths were not declared. While writing its own files is normal, the mismatch between metadata and actual behavior (it silently creates persistent files in the user's home) is a risk and should be disclosed to users/administrators.
What to consider before installing
This package implements local AML, invoice checks, and report generation, but several claims in the documentation are not supported by the code. Before installing or running it with sensitive data, consider: - Metadata mismatch: The package reads SKILLPAY_API_KEY and SKILLPAY_SKILL_ID from the environment even though no env vars were declared. If you don't want billing/telemetry keys available, do not set them. Ask the developer why these env vars are required and how they're used. - Local guarantees are weaker than advertised: The sandbox only clears proxy env vars and does not truly block network sockets or enforce a whitelist. Do not assume the code is network-isolated — run it in an isolated environment (VM, container, or an air-gapped host) if you need strong isolation. - Audit log is not truly immutable: The 'tamper-proof' log is a simple local file with per-line hashes; anyone with file access can truncate or replace it. If immutable logs are required, use an external append-only store or OS-level protections (WORM storage, append-only mounts). - Persistent files: The skill creates ~/.openclaw/… files for logs and trial state. Review those files, set appropriate file permissions, or run in a controlled account to avoid exposing sensitive data. - Dependency bloat: package.json lists libraries (sqlalchemy, cryptography, jieba) not used in code. That increases attack surface. Request a trimmed dependency list or scan those packages before installing in production. - Code review recommendations: Ask the author to (1) declare required env vars and config paths in metadata, (2) implement real network whitelisting or document precise network allowances, (3) provide a clear privacy/billing flow (what SKILLPAY keys do), and (4) harden the audit log or integrate with an established tamper-evident store. If you cannot get satisfactory answers, run the skill in an isolated sandbox and avoid feeding production PII/financial data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bpzf05qebvbqcrssa2nnvbd83caxa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments