QuickBooks Mileage CSV
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its mileage-CSV purpose, but its Microsoft Outlook token defaults include email-sending permission, so users should review permissions before installing.
Before installing, review your config and credentials carefully. Prefer local output first, run a dry run, keep config and token files private, restrict Airtable/Google/Microsoft/API keys to the minimum needed, and override the Outlook Microsoft Graph scope so Mail.Send is not granted unless you intentionally enable email sending.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Microsoft token created for Outlook calendar mileage data could also allow sending mail from the signed-in account.
The Outlook calendar adapter defaults to requesting Mail.Send along with Calendars.Read. Calendar reading is needed for mileage import, but email sending is a separate optional capability, so this default broadens Microsoft account authority unless the user explicitly narrows the scope.
scope=str(self.settings.get("scope", "offline_access Calendars.Read Mail.Send")),Use the narrowest Microsoft Graph scope possible, such as Calendars.Read for calendar-only use, and enable Mail.Send only for a separately reviewed email-delivery configuration.
Mileage CSVs, reports, addresses, and related business data may leave the local machine if optional email, cloud, or scheduled cloud modes are enabled.
The skill clearly discloses that optional non-local modes can route generated mileage data through third-party providers.
If you opt into GitHub Actions, cloud storage, or email delivery, your data will flow through the provider you configure. Those modes are optional.
Keep the default local mode unless you are comfortable with the selected provider handling the data; use dry-run or --skip-email when reviewing a configuration.