Finance Accounting
Security checks across malware telemetry and agentic risk
Overview
This skill mostly performs local accounting, but it asks users to trust it with sensitive financial records while claiming security protections that the provided code does not show.
Review this skill before using it with real financial records. Treat its saved CSV/report files as sensitive plaintext unless you add your own encryption, access controls, and backup practices. Be especially careful with the README’s GitHub and automation suggestions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their financial records are encrypted and access-controlled when the included code appears to save them as ordinary local files.
The documentation presents strong safety and production-readiness claims for financial data. The provided implementation stores transactions as local CSV files and does not show encryption, access-control, or audit-log enforcement, which could cause users to overtrust the skill with sensitive accounting records.
**加密存储**: 财务数据使用加密存储 ... **状态**: ✅ 生产就绪
Either implement the claimed protections or clearly state that data is stored locally in plaintext unless the user provides separate protection.
Anyone or anything with access to the workspace could potentially read or modify saved transaction files, affecting financial calculations and reports.
The skill persistently stores financial transaction history and later reuses it for balances, taxes, and reports. This is expected for accounting, but the stored data is sensitive.
self.transactions_file = self.data_dir / "transactions.csv" ... df.to_csv(self.transactions_file, mode='a', header=False, index=False, encoding='utf-8')
Use a protected data directory, restrict file access, keep backups, and avoid storing real financial records unless plaintext local storage is acceptable.
If used with real files, automated tasks could repeatedly import or process financial data without a fresh review each time.
The README provides a user-directed example for a long-running scheduled automation loop that processes bank statements and reports. It is not installed or started automatically, but it would keep running if the user creates and launches it.
schedule.every().day.at("18:00").do(daily_task) ... while True: schedule.run_pending(); time.sleep(60)Run scheduled automation only with explicit approval, logging, limited file paths, and a clear way to stop it.
Future package changes or a compromised package source could affect the local accounting environment.
The setup instructions use unpinned package installation. These dependencies are purpose-aligned for data processing and reports, but versions and package sources are not constrained.
pip install pandas openpyxl reportlab pyyaml
Install from trusted sources, pin dependency versions, and use a virtual environment.
Financial records could be committed to a remote repository or processed automatically by another agent if the user enables those integrations.
The documentation suggests combining this finance skill with other skills for version control and automation. This is not implemented in the included code, but if followed, financial data or actions could propagate beyond the local accounting workflow.
**github技能**: 版本控制财务数据 ... **proactive-agent技能**: 自动执行定期任务
Do not connect financial data to GitHub or automation tools unless repositories are private, scopes are limited, and each recurring action is reviewed.