Bookkeeper

Before installing or enabling this skill, confirm the following: - Ask the author to explain 'MATON_API_KEY': what is the Maton gateway, which services does it actually control, what scopes/permissions does the key grant, where is it stored, and why is one key used instead of per-service OAuth? A single gateway key that can access Gmail, Stripe, and Xero is high‑impact — prefer per-service OAuth with least privilege. - Ask why python3 is required when the SKILL.md contains no Python steps; verify whether upstream skills (gmail, deepread-ocr, stripe-api, xero) have specific runtime requirements that justify python3 being mandatory. - Request that MATON_API_KEY be declared as the primary credential (or clarify why not) and that the skill document the exact scopes and token rotation/lifecycle. - Audit the upstream skills the meta-skill installs (clawhub install ...). Installing third-party packages via npx will pull remote code — review those package sources and their requested permissions before allowing installation in production accounts. - Insist on least-privilege: ensure the gateway/API token cannot perform actions beyond read/list/write only what is necessary (e.g., read-only Gmail for intake, restricted create only in a specific Xero org). Consider testing in a sandbox Xero/Stripe/Gmail environment first. - Require explicit user confirmation and review policy before any automatic posting of financial records (the SKILL.md's policies are good; ensure enforcement and logging exist). If the author can provide detail on Maton (service homepage, token scope), justify python3, and show that the gateway token does not grant excessive admin power, confidence in this skill would increase. Without that, treat the MATON key as a high‑risk item and proceed cautiously.