Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Finance Accounting
v1.0.0财务会计文书处理综合技能包 - 包含记账、对账、税务、报表等核心功能
⭐ 0· 1.9k·23 current·25 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the included code: finance.py implements recording, balance, tax calculation, report generation and bank-statement import. However, the docs repeatedly claim features (bank/API integrations, ERP/tax system integration, data encryption, access control, audit logs) that are not implemented in the code. Also the repository contains config/*.yaml but finance.py looks for config files in a data directory by default (accounts.yaml and tax_config.yaml under its data_dir) — a mismatch between README/SKILL.md paths (config/) and the code's default (data/). These documentation–implementation mismatches reduce confidence that required capabilities or security guarantees exist.
Instruction Scope
SKILL.md/README instructs commands referencing config/, logs/ (tail -f logs/finance.log), and external integrations; the code instead prints to stdout and uses a data directory for files. The skill claims encrypted storage and access control, but finance.py does not implement encryption, a logging framework, or any access control enforcement. The README also shows automation examples (automate_finance.py) and integration with other skills, but there is no code that implements network calls or API clients for bank/tax/ERP systems. Instructions that imply secure storage and integration are therefore not enforced by the shipped code.
Install Mechanism
There is no install spec (instruction-only packaging plus code files). Dependencies listed in SKILL.md (python, pandas, openpyxl, reportlab) are reasonable for the stated features. No external downloads, installers, or unusual install actions are present in the manifest — low install risk.
Credentials
The skill requests no environment variables or credentials in its metadata (none required). The documentation references external integrations (bank APIs, tax/electronic filing, payment systems, GitHub) which would require credentials, but those are not requested or implemented. This is a double-edged signal: on one hand there is no immediate credential exfiltration request; on the other hand the docs promise integrations but provide no clear, safe place/configuration for credentials, so users may be prompted later to supply secrets without a clear implementation. Verify any credential handling before providing real secrets.
Persistence & Privilege
The skill is not force‑always enabled (always: false) and uses only local file storage (creates a data_dir). It does not modify other skills or system-wide configuration. There is no evidence of persistent background services or privileged operations in the shipped files.
What to consider before installing
What to check before installing or using this skill:
1) Documentation vs. code: The README/SKILL.md promise encrypted storage, access control, audit logs, and integrations (bank/tax/ERP). The provided finance.py does not implement encryption, a logging system, or API clients — it mostly reads/writes local CSV/YAML/JSON and prints to stdout. Do not assume those security features exist without inspecting or adding them.
2) Config/file paths: The docs reference config/*.yaml and logs/*, but finance.py defaults to a data/ directory for accounts/tax config and does not create or write logs. Confirm where configs and data will actually be read/written and adapt paths to your environment.
3) Credentials and integrations: The package does not request credentials, but integration features mentioned will require sensitive credentials if you add them. Only provide API keys or banking credentials after you (a) inspect/modify the code so credentials are stored securely (encrypted or via a trusted secret store), and (b) know exactly what network calls will be made.
4) Test in isolation: Run the code in an isolated/test environment with non-sensitive sample data first. Review finance.py for any network calls or subprocesses (none were found in the provided files) and run the test suite to confirm behavior.
5) Add missing security controls: If you plan to use this for real financial data, add or verify: secure storage/encryption of data at rest, proper logging (to files with rotation) and access controls, secure handling of any credentials, and backups.
6) Contact/maintenance: The repository/homepage are not authoritative; README includes a placeholder support email (finance-support@example.com) and a generic GitHub URL. Treat the package as community/third-party code; prefer using well-audited solutions for production accounting.
If you want, I can: (a) point out exact lines in finance.py where configuration/loading and file writes occur so you can patch them, (b) suggest secure patterns for storing credentials and logs, or (c) produce a checklist to harden this skill for production use.Like a lobster shell, security has layers — review code before you run it.
latestvk97b0c9wzf2kytz7814v699m4h82300d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.