US Tax Return Review-1040
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local, purpose-aligned tax-return review tool, but it handles sensitive tax data and includes an optional unpinned Python package install.
Use this skill only with tax data you are comfortable processing locally. Keep input and output files private, consider using a virtual environment for the optional dependency, and have a qualified CPA or EA review findings before making filing decisions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive tax details and audit-risk observations may remain on disk after the review.
The skill intentionally creates persistent local summaries and reports derived from tax-return data, which may include sensitive financial information.
Produce three artifacts: a detailed findings JSON file, a markdown summary, and a separate DOCX risk report listing major items and related risks.
Run the review in a private directory, restrict access to the output files, avoid sharing them with untrusted services, and delete them when no longer needed.
Installing an unpinned package may pull whatever version is current from the package index at install time.
The optional DOCX feature relies on an external Python package installed without a pinned version. This is purpose-aligned, but it is still a supply-chain consideration.
If `python-docx` is missing, install it: ```bash python -m pip install --user python-docx ```
Install dependencies from a trusted source, preferably in a virtual environment, and consider pinning or verifying the python-docx version before use.