Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Expense Reimbursement
v3.0.4差旅报销票据整理 / Travel Expense Reimbursement:支持高德/Didi/滴滴/Uber打车、12306火车票、机票、酒店住宿;递归扫描含ZIP内部;OCR识别行程单;判断出差/公出类型;按行程自动归档;填写研发经费使用单;生成打印材料包PDF(粘贴单永远首页);自动化PDF合并(图片+...
⭐ 1· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (expense reimbursement, OCR, ZIP recursion, PDF merging, form filling) match the provided instructions and the included Python script. Declared dependencies (python-docx, pypdf, reportlab, Pillow, tesseract) are appropriate for the stated functionality.
Instruction Scope
Instructions and the script operate on user files (recursive scan of a reimbursement directory, unzip of ZIPs, XML parsing, OCR of images/PDFs) and write outputs (archived folders, merged PDFs, a summary file in ~/memory). The skill requires explicit user confirmations for major steps; it also offers an optional deletion step for original ZIPs/temps. These behaviors are coherent with the purpose but involve broad filesystem access and destructive actions only after user consent.
Install Mechanism
No install spec; skill is instruction-only with a small helper script. No remote downloads or archive extraction from untrusted network sources performed by the skill itself. The only install action a user would need is pip-installing legitimate Python packages and optionally installing tesseract OCR.
Credentials
The only optional environment variable referenced is REIMBURSEMENT_DIR to override the processing directory, which is appropriate. No credentials, tokens, or unrelated environment variables are requested.
Persistence & Privilege
The skill writes output files and creates directories under the chosen reimbursement directory and creates a summary file at ~/memory/YYYY-MM-DD_报销整理.md. always:false (not force-included). Writing local files is expected for this use case, but users should be aware of where files are created and of the optional deletion step.
Assessment
This skill appears to be what it claims: a local receipt-processing assistant that scans/unzips files, OCRs, classifies receipts, fills forms and produces merged PDFs. Before installing or running it: 1) Confirm the processing directory (REIMBURSEMENT_DIR) and check the script's default (SKILL docs reference ~/报销/ while the script defaults to ~/Desktop/报销/) so you know where files will be read/written. 2) Backup your reimbursement directory first — the skill can delete ZIPs and temp files if you authorize that. 3) Inspect any ZIPs you feed it (nested ZIPs can be extracted) and avoid running on untrusted archives to reduce risk of malicious payloads. 4) Install tesseract and Python deps from official sources; run the script in an isolated environment if you have concerns. 5) Note the skill creates a ~/memory summary file and new folders under your reimbursement directory — verify those locations if you need to restrict where data is stored. Overall there are no network endpoints, credentials, or unexplained behaviors in the package, but exercise normal caution when running file-processing scripts on your machine.Like a lobster shell, security has layers — review code before you run it.
latestvk97crqddmjtfdv2prhx62zp78s8442j1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.