Back to skill
Skillv1.0.1
ClawScan security
GL importer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose (uploading CSV/XLSX to the Synder Importer API for QuickBooks/Xero) and do not ask for unrelated credentials, binaries, or installs.
- Guidance
- This skill appears coherent and implements the expected workflow for importing spreadsheets into QuickBooks Online/Xero via Synder. Before installing: 1) only provide an IMPORTER_API_TOKEN from importer.synder.com and verify you trust Synder's service and privacy policy (uploads contain sensitive financial data that will be forwarded to your accounting provider); 2) follow the SKILL.md recommendation to run dryRun=true and test with non-production data; 3) confirm you select the correct company ID when importing; 4) be prepared to revoke the API token from the Synder web UI if you no longer want the skill to have access. There are no hidden installs or unrelated credential requests, but remember that using the skill will send spreadsheet contents to a third party (Synder) for processing.
Review Dimensions
- Purpose & Capability
- okName/description, README instructions, and the referenced API docs consistently describe importing spreadsheet accounting data into QuickBooks Online or Xero via the Synder Importer API. The single required credential (IMPORTER_API_TOKEN) is appropriate for that API and no unrelated secrets/binaries are requested.
- Instruction Scope
- okSKILL.md gives explicit curl-based workflows for listing companies, mapping fields, uploading files, polling status, canceling/reverting imports, and recommends dryRun first. It only references the CSV/XLSX files to upload and the provider account context; it does not instruct reading unrelated system files or exfiltrating data to unknown endpoints. It clearly documents that files are uploaded to importer.synder.com and forwarded to the connected accounting provider.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. No downloads or package installs are performed by the skill, so there is no install-time execution risk.
- Credentials
- okOnly IMPORTER_API_TOKEN is required (documented in SKILL.md). That token is necessary and proportionate for authenticating to the Synder Importer API. No other secrets, config paths, or unrelated service tokens are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system persistence or modify other skills. It relies on outbound HTTP calls to the documented API, which is expected for its purpose. Autonomous model invocation is allowed by platform default but is not combined with elevated privileges here.