Adp Skill

ReviewAudited by ClawScan on May 1, 2026.

Overview

This instruction-only skill is coherent for document extraction, but users should notice that it sends documents and ADP credentials to an external Laiye API.

This skill appears benign and purpose-aligned. Before installing, verify the Laiye ADP source, keep ADP keys in a secure secret store or environment variables, and only process documents that your organization permits sending to the external ADP service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone installing the skill should understand that using it requires ADP account credentials that could affect account access or usage credits if mishandled.

Why it was flagged

The skill requires tenant/app API credentials for the documented service, while registry metadata lists no required env vars or primary credential.

Skill content

Required Environment Variables ... ADP_ACCESS_KEY ... ADP_APP_KEY ... ADP_APP_SECRET

Recommendation

Store these keys in environment variables or a secret manager, avoid committing them, and rotate them if exposed.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Documents such as invoices, receipts, and orders may contain sensitive financial or business data that will be processed outside the local agent environment.

Why it was flagged

The documented workflow sends document references, and in another example base64 document contents, to an external document-processing API.

Skill content

curl -X POST "https://adp-global.laiye.com/open/agentic_doc_processor/laiye/v1/app/doc/extract" ... "file_url": "https://example.com/invoice.pdf"

Recommendation

Only submit documents you are allowed to share with Laiye ADP, and confirm the provider’s retention, privacy, and compliance terms before processing sensitive material.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less registry-level provenance information when deciding whether to trust the package with documents and API credentials.

Why it was flagged

The registry metadata does not provide a verified source or homepage even though the documentation points to external Laiye services and a GitHub repository.

Skill content

Source: unknown; Homepage: none

Recommendation

Verify the package source and service endpoint directly with the vendor before configuring credentials or uploading sensitive documents.