ClawHub

QuickBooks Mileage CSV

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.exposed_secret_literal

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

A Microsoft token created for Outlook calendar mileage data could also allow sending mail from the signed-in account.

Why it was flagged

The Outlook calendar adapter defaults to requesting Mail.Send along with Calendars.Read. Calendar reading is needed for mileage import, but email sending is a separate optional capability, so this default broadens Microsoft account authority unless the user explicitly narrows the scope.

Skill content
scope=str(self.settings.get("scope", "offline_access Calendars.Read Mail.Send")),
Recommendation

Use the narrowest Microsoft Graph scope possible, such as Calendars.Read for calendar-only use, and enable Mail.Send only for a separately reviewed email-delivery configuration.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Mileage CSVs, reports, addresses, and related business data may leave the local machine if optional email, cloud, or scheduled cloud modes are enabled.

Why it was flagged

The skill clearly discloses that optional non-local modes can route generated mileage data through third-party providers.

Skill content
If you opt into GitHub Actions, cloud storage, or email delivery, your data will flow through the provider you configure. Those modes are optional.
Recommendation

Keep the default local mode unless you are comfortable with the selected provider handling the data; use dry-run or --skip-email when reviewing a configuration.

Findings (3)

critical

suspicious.exposed_secret_literal

Location
qbo_mileage/adapters/airtable.py:20
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
qbo_mileage/adapters/outlook.py:97
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
qbo_mileage/config.py:138
Finding
File appears to expose a hardcoded API secret or token.