Bank Statement Reconciler Pro

The skill largely does what it says (bank statement reconciliation), but there are multiple implementation inconsistencies and an external token-validation network call that are not clearly disclosed — review before providing real credentials or production data.

This skill appears to implement bank statement reconciliation, but exercise caution before using it with real data: - Dependency gaps: The code expects Python packages (requests, openpyxl) and an external CLI ('miaoda-studio-cli') for PDF parsing. These are not listed in the skill metadata — the agent may fail or behave unexpectedly if they are missing. - Remote validation: If you provide a tier token (e.g., BANK-PRO-...), the skill will POST that token to https://geo-api.yk-global.com/validate. That will transmit whatever token you give it to a third-party service. The SKILL.md/README do not clearly state this network call; avoid entering real production credentials unless you trust that domain. - Token-handling fallback is permissive: on network errors the code treats the token as valid (returns True). This is insecure from an access-control perspective and may cause inconsistent behavior. - Feishu: The skill builds Feishu cards but does not include an API push implementation or require Feishu credentials; pushing cards would require additional agent-level steps and credentials not managed by this skill. Recommendations before installing/using: 1. Do not supply real tokens or production secrets until you verify the VERIFY_URL (geo-api.yk-global.com) and the operator (YK Global). Inspect network traffic or host reputation if possible. 2. Test the skill with synthetic or redacted bank data locally to confirm behavior and dependencies (install requests/openpyxl and ensure miaoda-studio-cli is present if you will parse PDFs). 3. If you need offline-only processing, modify or audit parser._parse_pdf to avoid calling external CLI or pipe PDFs to a local parser you control. 4. If you plan to integrate Feishu pushes, implement and audit the Feishu push code and credential handling separately. If you want, I can: 1) list exact places in code where tokens or external calls occur, 2) suggest a minimal safe wrapper to disable remote token validation, or 3) walk through how to run the skill in an isolated environment.