Bookkeeper
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent bookkeeping automation, but it can read private email attachments, send them to OCR, and create accounting records, so it warrants careful review before use.
Only install this if you are comfortable granting access to Gmail, Stripe, Xero, and OCR processing. Start with manual review, limit the mailbox/date/vendor scope, approve each attachment upload and Xero write, and avoid running broad update-all commands unless you have reviewed the affected skills.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad OCR result or payment match could create incorrect bills, contacts, or reconciliation status in the user's accounting system.
The skill can direct the agent to create and mark accounting records in Xero, including an automatic high-confidence mode. These are high-impact financial mutations, and the artifact does not require per-entry confirmation, rollback steps, or tenant/account containment.
auto_post_policy (`manual-review`, `auto-if-high-confidence`) ... create contacts if missing ... create bill entry (`Type: ACCPAY`) ... mark as paid/reconciled state only when Stripe verification is confident
Default to manual review, require explicit approval for each Xero write, restrict allowed vendors/accounts/tenants, and document how to reverse or void incorrect entries.
Private invoices or email contents could be sent to an OCR provider more broadly than the user intended.
The workflow reads private Gmail payloads and automatically sends candidate attachments to an external OCR service. The required inputs do not clearly bound mailbox scope, date range, attachment approval, or data-retention expectations.
Scan Gmail for candidate invoice emails ... fetch message metadata and full payload ... For each invoice candidate attachment: 1. send file to DeepRead OCR with invoice schema
Require a mailbox/date/vendor scope before scanning, show candidate attachments before upload, and document DeepRead data handling, retention, and deletion controls.
If these keys are over-scoped or exposed, an agent or attacker could access sensitive business records.
The credentials are expected for the stated integrations, but they provide access to email, payments, accounting, and OCR services.
`MATON_API_KEY` (for Gmail, Stripe, Xero through Maton gateway) ... `DEEPREAD_API_KEY` (for OCR extraction)
Use least-privilege credentials, rotate keys regularly, and confirm exactly which Gmail, Stripe, and Xero accounts the Maton gateway can access.
Installing or updating unpinned upstream skills could change the behavior or permissions of the bookkeeping workflow or other installed skills.
The skill relies on upstream skills installed via latest-version commands, and `update --all` can change more than the four dependencies needed for this workflow.
npx -y clawhub@latest install gmail ... npx -y clawhub@latest install xero ... npx -y clawhub@latest update --all
Install only the required skills, pin reviewed versions where possible, avoid broad update-all commands, and review upstream skill permissions before granting credentials.
Sensitive bookkeeping metadata may remain available across future tasks or to other tools if storage is not controlled.
Persistent bookkeeping logs are purpose-aligned for traceability, but they may contain sensitive email, payment, and accounting identifiers, and the artifact does not specify storage location or retention.
store processing log (source email, extraction confidence, matching evidence, xero IDs) ... keep idempotency key to avoid duplicate posting
Store logs in a user-approved location, minimize sensitive fields, set retention limits, and prevent stored logs from being treated as authoritative instructions.