travel-subsidy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for processing the two uploaded reimbursement zip files, with no evidenced hidden code, credential use, or external sharing, but it handles sensitive travel and invoice records.
This appears safe to use for its stated purpose if you are comfortable giving it the two reimbursement archives. Verify the calculated subsidy results, use trusted zip files, and clean up the run directory afterward if the documents are sensitive.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less external context for who maintains the skill, but the provided artifacts do not show hidden code or remote installation behavior.
The skill has limited provenance information, although it is instruction-only and no executable dependency or installer is provided.
Source: unknown; Homepage: none
Review the visible instructions before use and prefer processing sensitive reimbursement files in a controlled workspace.
The agent will manipulate files from the uploaded archives and create result packages in the workspace.
The skill directs archive extraction and file creation, which is expected for this workflow and includes a specific zip-slip safeguard.
Unzip both archives into a dedicated run directory... Protect against zip slip / path traversal.
Use the skill only with the intended 发票.zip and 火车票.zip files, and avoid feeding it archives from untrusted sources.
Sensitive travel, invoice, route, amount, and subsidy information may remain in the workspace after the task completes.
The workflow stores copies of invoice and ticket archives, extracted files, generated workbooks, and output zips in a run directory.
Save or copy both input archives into `$run_dir/input/`... Produce two zip outputs
Delete the run directory and intermediate files when no longer needed, and verify the generated subsidy records before submitting them.