ClawHub

Accounting Skill

v0.1.0

Process accounting documents — invoices (hóa đơn GTGT), purchase orders, and bank statements. Extract structured data from PDF (digital and scanned), JPG, an...

0· 97·0 current·0 all-time
by@dvnghiem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (accounting OCR) aligns with included scripts and reference docs. The repo contains classification and three extractor scripts plus OCR helpers and bank/invoice/PO references — all expected for the stated functionality. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and README direct the agent/user to run local scripts (uv run ...) which read input files, perform OCR, and write Excel/JSON outputs. This matches purpose. Two items to note: (1) the README example uses eval on commands generated by classify_document.py — executing untrusted command strings is risky; prefer invoking recommended scripts directly rather than eval’ing arbitrary output. (2) Extraction outputs include raw_text and full source_file paths in JSON backups which may contain sensitive data or reveal local filesystem structure.
Install Mechanism
No install spec in registry (instruction-only), but scripts rely on system packages (tesseract, poppler) and Python deps declared inline via PEP-723 comments (uv run will auto-install). This is reasonable for OCR tooling, but auto-installing Python packages (via 'uv run') has typical supply-chain risk compared to using only system packages; verify dependencies and run in a controlled environment.
Credentials
The skill requests no environment variables, credentials, or unrelated system config paths. The code operates on local files and writes local Excel/JSON outputs — consistent with its purpose. There are no obvious requests for network credentials or cloud keys.
Persistence & Privilege
Skill flags are default (always: false) and the skill does not request permanent/privileged presence or modify other skills. It writes output files (Excel/JSON) in user-specified locations, which is appropriate for this tool.
Assessment
This skill appears to be what it says: local OCR + structured extraction. Before installing or running it: 1) Inspect scripts/ocr_utils.py (not fully shown here) to confirm it does not make network calls or upload data; 2) Run first uses in a controlled environment (or a copy of sensitive files) because the skill writes JSON backups containing raw OCR text and full source_file paths which may contain PII; 3) Install system OCR packages (tesseract, poppler) and review Python packages that 'uv run' will install; consider using a virtual environment; 4) Avoid blindly executing shell-eval of commands produced by classify_document (the README shows an eval example); instead run the suggested extractor programmatically or by copy/paste to avoid command injection if an attacker can supply malicious files; 5) Use --dry-run to preview parsed JSON before writing files. If you want higher assurance, share the full contents of scripts/ocr_utils.py and any remaining truncated files so they can be reviewed for network or other unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779915hbzx0sf8qgrawe1yp18363gv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments