Klientenportal
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Klientenportal automation skill, but it uses your tax-portal login, uploads/downloads accounting documents, and keeps a local browser session unless you log out.
Before installing, make sure you are comfortable giving this skill access to your Klientenportal account and accounting documents. Store credentials securely, review uploads before running them, download sensitive files only to appropriate locations, and run logout after finishing so the local browser session is cleared.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is delegating access to a sensitive accounting portal account.
The skill uses the configured Klientenportal user ID and password to log into the tax/accounting portal.
page.locator('input[type="text"]').first.fill(config["user_id"])
page.locator('input[type="password"]').first.fill(config["password"])Use a dedicated account if available, keep the config file and environment variables private, and review portal activity if unexpected uploads or downloads occur.
A mistaken command or broad file pattern could upload the wrong accounting documents.
The skill can upload selected receipt or invoice files, including wildcard selections, to a specific accounting category in the external portal.
python3 {baseDir}/scripts/klientenportal.py upload -f invoice.pdf --belegkreis KA
python3 {baseDir}/scripts/klientenportal.py upload -f *.xml --belegkreis SPConfirm file paths and Belegkreis categories before upload, and avoid broad wildcards unless you have reviewed the matching files.
Portal session cookies may remain on disk after a task until logout or cleanup.
The browser profile is stored persistently under the skill's workspace directory, which can retain session state between runs.
PROFILE_DIR = CONFIG_DIR / ".pw-profile"
...
return pw.chromium.launch_persistent_context(
user_data_dir=str(PROFILE_DIR),Run the documented logout command after use and protect or remove the local profile directory if the workspace is shared.
The skill depends on external automation tooling that should come from trusted package sources.
Setup instructs users to install Playwright and a browser runtime from external package/download sources.
pip install playwright playwright install chromium
Install from trusted package indexes or a controlled environment, and consider pinning Playwright versions for reproducible deployments.