financial-report
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CDN or dependency were compromised, code running in the browser page could potentially access data typed into the tool.
The local HTML visualization tool depends on a third-party CDN script for chart rendering. This is purpose-aligned, but users entering financial data should know remote JavaScript will run in the page.
<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.4/dist/chart.umd.min.js"></script>
Use the tool with public or non-sensitive data unless you trust the CDN dependency; a safer version would bundle the library locally or use subresource integrity.
A user may click through to an external site assuming it is affiliated with the skill, even though the artifacts do not establish that relationship.
The HTML tool contains upgrade links to an external domain that is not explained in the registry metadata or homepage. The README also describes this as professional-version promotion.
<a href="https://keto.bh-jk.com" target="_blank" class="pro-badge">🔓 解锁专业版</a>
Treat the upgrade link as an external marketing site; do not enter payment, credentials, or sensitive information unless you independently trust the domain.