Klientenportal
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: klientenportal Version: 1.5.1 The OpenClaw AgentSkills bundle for RZL Klientenportal automation is classified as benign. The skill's purpose is clearly defined as interacting with `klientenportal.at` for document exchange. The Python script (`scripts/klientenportal.py`) demonstrates robust security practices, including output path sandboxing to restrict file writes to the workspace or `/tmp`, input file path validation to prevent uploads from arbitrary locations, and filename sanitization to mitigate path traversal. It also hardens permissions on configuration and profile directories and explicitly clears browser sessions. There is no evidence of data exfiltration to unauthorized endpoints, arbitrary command execution, persistence mechanisms, or prompt injection attempts in the `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is delegating access to a sensitive accounting portal account.
The skill uses the configured Klientenportal user ID and password to log into the tax/accounting portal.
page.locator('input[type="text"]').first.fill(config["user_id"])
page.locator('input[type="password"]').first.fill(config["password"])Use a dedicated account if available, keep the config file and environment variables private, and review portal activity if unexpected uploads or downloads occur.
A mistaken command or broad file pattern could upload the wrong accounting documents.
The skill can upload selected receipt or invoice files, including wildcard selections, to a specific accounting category in the external portal.
python3 {baseDir}/scripts/klientenportal.py upload -f invoice.pdf --belegkreis KA
python3 {baseDir}/scripts/klientenportal.py upload -f *.xml --belegkreis SPConfirm file paths and Belegkreis categories before upload, and avoid broad wildcards unless you have reviewed the matching files.
Portal session cookies may remain on disk after a task until logout or cleanup.
The browser profile is stored persistently under the skill's workspace directory, which can retain session state between runs.
PROFILE_DIR = CONFIG_DIR / ".pw-profile"
...
return pw.chromium.launch_persistent_context(
user_data_dir=str(PROFILE_DIR),Run the documented logout command after use and protect or remove the local profile directory if the workspace is shared.
The skill depends on external automation tooling that should come from trusted package sources.
Setup instructs users to install Playwright and a browser runtime from external package/download sources.
pip install playwright playwright install chromium
Install from trusted package indexes or a controlled environment, and consider pinning Playwright versions for reproducible deployments.