Bank Statement Reconciler

The code largely implements a bank-statement reconciler as described, but there are multiple mismatches and undeclared dependencies (an external PDF CLI, Python packages, and Feishu push behavior/credentials) that do not line up with the skill's stated requirements — proceed with caution and verify before enabling.

This skill's core functionality (parsing, matching, exporting) appears coherent, but there are several red flags you should address before installing: - Missing dependency declarations: the code uses openpyxl and other Python libraries but the skill manifest lists no install steps. Ensure required Python packages are specified and reviewed. - Undeclared binary usage: parser._parse_pdf invokes 'miaoda-studio-cli doc-parse' via subprocess. That binary is not declared as a required dependency — verify what that CLI does, where it comes from, and whether you trust it. Running untrusted CLIs on your system is risky. - Feishu integration mismatch: SKILL.md shows pushing to Feishu and examples use push_reconciliation_to_feishu(...), but only a card builder exists in code. There are no environment variables or credentials declared for Feishu. If you expect the skill to send results to Feishu, request the author to provide a safe, explicit Feishu sender function and declare required secrets (and ideally use webhook URLs or token storage patterns you control). - Tier/token handling is unclear: the README and SKILL.md mention backend token validation and prefixes; inspect scripts/tier_config.py for any network calls or secrets handling. If it contacts a remote backend, confirm the endpoint and data transmitted. - Run in isolated environment first: if you test this skill locally, do so in an isolated sandbox or container, and monitor subprocess activity and network traffic. Review and pin third-party package versions. If you cannot confirm the above items with the skill author (declared dependencies, the exact behavior of miaoda-studio-cli, Feishu sending implementation, and any remote endpoints used by tier_config), treat the skill as untrusted and avoid giving it access to real bank files or credentials.