Klientenportal
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is delegating access to a sensitive accounting portal account.
The skill uses the configured Klientenportal user ID and password to log into the tax/accounting portal.
page.locator('input[type="text"]').first.fill(config["user_id"])
page.locator('input[type="password"]').first.fill(config["password"])Use a dedicated account if available, keep the config file and environment variables private, and review portal activity if unexpected uploads or downloads occur.
A mistaken command or broad file pattern could upload the wrong accounting documents.
The skill can upload selected receipt or invoice files, including wildcard selections, to a specific accounting category in the external portal.
python3 {baseDir}/scripts/klientenportal.py upload -f invoice.pdf --belegkreis KA
python3 {baseDir}/scripts/klientenportal.py upload -f *.xml --belegkreis SPConfirm file paths and Belegkreis categories before upload, and avoid broad wildcards unless you have reviewed the matching files.
Portal session cookies may remain on disk after a task until logout or cleanup.
The browser profile is stored persistently under the skill's workspace directory, which can retain session state between runs.
PROFILE_DIR = CONFIG_DIR / ".pw-profile"
...
return pw.chromium.launch_persistent_context(
user_data_dir=str(PROFILE_DIR),Run the documented logout command after use and protect or remove the local profile directory if the workspace is shared.
The skill depends on external automation tooling that should come from trusted package sources.
Setup instructs users to install Playwright and a browser runtime from external package/download sources.
pip install playwright playwright install chromium
Install from trusted package indexes or a controlled environment, and consider pinning Playwright versions for reproducible deployments.