v1.0.0

Smart Accountant with GST Understanding

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 6:05 PM.

Analysis

This skill appears aligned with local accounting and GST recordkeeping, but it installs/runs local Node tooling and stores sensitive financial records, so users should review setup and approval steps carefully.

GuidanceBefore installing, review the Node dependency files, run the tool only in a trusted workspace, back up the accounting database, and do not approve postings or period closes unless the preview matches real source documents and has been reviewed.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityInfoConfidenceHighStatusNote

audit_rule.md

Agent must NOT submit until: ... User explicitly approves. Hard rule: NEVER POST DIRECTLY FROM USER INSTRUCTION.

The skill deliberately changes the agent's stopping conditions by requiring validation and user approval before posting. This is restrictive but protective and aligned with accounting controls.

User impactThe agent may refuse to immediately post entries and may ask follow-up questions before acting.

RecommendationUse this behavior as a safety control; only approve postings after checking the preview.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

db_tool.md

post-voucher.js ... Primary write engine ... insert voucher ... insert lines ... update derived balances ... audit log ... COMMIT

The skill includes tooling that can write accounting records. This is expected for the purpose, and the documentation requires preview and approval before posting.

User impactIncorrectly approved actions could change ledgers, reports, and audit records.

RecommendationReview every posting preview, keep backups, and avoid approving unclear or unsupported transactions.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

The actual execution logic resides in the `tool/` directory, powered by Node.js and `better-sqlite3` ... npm install

The skill asks users to install Node dependencies even though there is no formal install spec. This is common for local tooling but remains a supply-chain surface.

User impactInstalling dependencies may bring third-party code into the local environment.

RecommendationReview package.json/package-lock.json and install only in a trusted project environment.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

db_tool.md

Invocation: `node scripts/post-voucher.js payload.json`

The skill is designed to run local Node scripts. This code execution is expected for database posting workflows, but users should understand that it is not purely passive guidance.

User impactRunning the scripts can read or modify the local accounting database.

RecommendationRun scripts only from the trusted skill directory and keep database backups before migrations, closes, or bulk postings.

Cascading Failures

SeverityMediumConfidenceHighStatusNote

db_tool.md

generate-report.js ... Produces 12 core reports ... Derived dynamically from ledger.

Reports are derived from ledger data, so an incorrect approved posting can propagate into multiple financial reports and downstream period-close work. The documented validation controls reduce but do not eliminate this risk.

User impactOne wrong entry may affect financial statements, reconciliations, and management decisions.

RecommendationRun integrity checks and reconciliations regularly, and verify source documents before approving postings.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Certifies financial truth for a given period and legally locks historical records to prevent backdated manipulations.

This is strong assurance language in a regulated accounting context. The skill has controls, but users should not treat it as a substitute for professional review.

User impactUsers may over-trust the skill's outputs for legal, tax, or audit decisions.

RecommendationHave important GST, audit, tax, and closing outputs reviewed by a qualified accountant or responsible business owner.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

db_tool.md

single .db file ... needs high-trust persistence ... audit_log( ... before_json, after_json, actor, timestamp )

The skill persists financial records and audit history in a local database. This is purpose-aligned but sensitive and reused across accounting tasks.

User impactBad or unauthorized entries could persist and influence later reports, reconciliations, and decisions.

RecommendationProtect the database file, restrict who can edit it, and use the preview/approval workflow to prevent poisoned financial state.