Ca Skill
v1.0.0Full-service CA skill for TallyPrime running locally. Read accounting reports (day book, trial balance, P&L, balance sheet, outstandings, GST) and post or up...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
SKILL.md clearly describes a TallyPrime XML-over-HTTP integration and only needs a TALLY_URL and curl to operate, which is proportionate to the stated CA/Tally use. However, the registry summary at the top of the provided bundle claims 'Required env vars: none' and 'Required binaries: none' while SKILL.md (and its metadata block) declare TALLY_URL and curl — an internal metadata inconsistency that should be resolved before trusting automated deployment.
Instruction Scope
All runtime instructions are explicit: POST XML envelopes to $TALLY_URL to read/export reports or import masters/vouchers. The skill repeatedly instructs to confirm company and write intent before making changes. One notable operational risk: the skill supports sending custom TDL blocks (custom reports) in requests — this is a legitimate Tally feature but increases the power of requests sent to the configured endpoint. Ensure the endpoint is your local Tally instance.
Install Mechanism
No install spec and no code files — instruction-only skill. That minimizes installer risk (nothing downloaded or written to disk by the skill).
Credentials
The only required environment value is TALLY_URL (declared as primary credential in SKILL.md metadata), which is appropriate for an HTTP-based local integration. However, a URL can point to any host; if it points to a remote server it could be used to transmit sensitive accounting data. Also note the earlier registry summary that omitted this env var — metadata should be consistent.
Persistence & Privilege
always:false (good). disable-model-invocation:false (default) allows the agent to invoke the skill autonomously. Because the skill can perform write operations (create/alter/cancel vouchers, masters), you should ensure the agent is configured to require user confirmation for writes or not allow fully autonomous use in production without safeguards. SKILL.md does state to confirm intent before writes.
Assessment
This skill appears to be what it says: an instruction-only TallyPrime integration that posts and reads XML to/from the configured TALLY_URL. Before installing or enabling it:
- Fix metadata: confirm the registry metadata and SKILL.md agree about required env vars and required binaries (TALLY_URL and curl). Inconsistencies are a red flag for sloppy packaging.
- Ensure TALLY_URL is a local-only endpoint (e.g., http://localhost:9000). Do not point it to a remote URL you don't control — the skill will send accounting exports and voucher payloads to whatever URL is configured.
- Test on a non-production company: run exports and a few safe imports on a sandbox company first to validate GUID/idempotency and sign conventions.
- Require explicit confirmation for any write action (or disable autonomous invocation) so the agent cannot post vouchers without a human approving company and intent.
- Backup Tally data before allowing automated imports/alterations.
If you want higher assurance, ask the skill author to correct metadata and to add an explicit runtime check that refuses to perform write operations unless TALLY_URL resolves to localhost or a user-approved host.Like a lobster shell, security has layers — review code before you run it.
latestvk97dt1jyy05gyh6tbfngrpcemx841gaj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.