YC Resource Import
WarnAudited by ClawScan on May 11, 2026.
Overview
The skill’s purpose is coherent, but it can automatically ingest contracts and rewrite/append production CSV data without clear scope, confirmation, backup, or rollback controls.
Review this skill carefully before installing. It appears designed for a legitimate contract-to-CSV workflow, but do not let it write directly to production until you have configured a safe output path, reviewed proposed rows, backed up the target CSV, and limited cloud-drive access to the specific contract folder.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken path, malformed input, or unsafe invocation could alter or damage production business data.
The script takes an arbitrary production CSV path from command-line arguments and opens it for writing, which rewrites the file rather than appending safely.
prod_path = sys.argv[1] ... with open(prod_path, 'w', encoding=enc, newline='') as f:
Require explicit user confirmation, restrict writes to configured production paths, create backups, use atomic append/write behavior, and validate fields before modifying the production file.
Bad OCR, incorrect public enrichment, or a misclassified contract could propagate directly into production records.
The workflow automatically transforms parsed/OCR/publicly enriched contract data and pushes it into the production database, but the visible artifact does not show a staging or human approval gate.
自动识别8大资源类型 → 按锁死标准字段抽取 → 公开信息自动补齐 → 敏感信息脱敏 → 合规校验 → 输出标准CSV并追加到生产库
Use a review/staging CSV first, show a diff of proposed changes, and require approval before any production append.
The skill may need access to cloud-drive files containing contracts or other sensitive business documents.
The skill expects integrations that may access a user's cloud storage accounts, which is purpose-aligned for pulling contracts but should be explicitly scoped.
"required_skills": ["google-drive", "Bbaidu-netdisk-storage"]
Grant only folder/file-scoped access where possible and confirm which files will be read before running imports.
Runtime setup may depend on external packages or skills whose versions and provenance are not fully described here.
The package declares runtime dependencies and required skills elsewhere, but does not include an install specification or pinned dependency source in the provided artifacts.
No install spec — this is an instruction-only skill.
Install dependencies from trusted sources, pin versions, and verify the required Google Drive/Baidu Netdisk skills before use.