ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Singapore SME Compliance

v1.0.0

Help Singapore SMEs automate compliance tasks: GST calculation, PEPPOL invoice validation, tax report generation, and IRAS filing deadlines. Use when: calcul...

0· 56·0 current·0 all-time
by@redwoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (GST, PEPPOL, F5, deadlines) match the included README, SKILL.md and the small gst_calculator.sh script. Requiring the 'bc' binary is appropriate for the included shell calculator. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md contains only documentation, example shell commands, and local automation steps. It includes curl examples that contact external endpoints (IRAS, api.gstcalculator.sg, Xero/QuickBooks, IRAS filing API). Those are sample integrations — the skill does not contain code that automatically exfiltrates data, but following the examples would send data to external services. Some example endpoints (e.g., api.gstcalculator.sg or the specific IRAS API path used in examples) may be placeholders; verify endpoints before use.
Install Mechanism
No install spec (instruction-only) and only a tiny shell script are included. Nothing is downloaded or executed at install time. Low risk from install mechanism.
Credentials
The skill declares no required environment variables or credentials. SKILL.md shows optional integration examples that would require bearer tokens (Xero, CORPPASS), which is normal for integrations but not required by the skill itself. This is proportionate.
Persistence & Privilege
always:false and user-invocable; the skill does not request persistent privileges or modify other skills. Normal autonomous invocation settings apply.
Assessment
This package appears to be what it says: a small, instruction-only compliance helper with a safe local GST calculator script. Before installing or running examples: 1) Inspect any curl commands and verify the external endpoints are official (especially api.gstcalculator.sg and the specific IRAS API paths used) — don't post real invoice or authentication tokens to unknown endpoints. 2) Only provide bearer tokens (Xero, CORPPASS, etc.) when you consciously connect to that service and trust the destination. 3) Review scripts (gst_calculator.sh is short and safe) and keep sensitive data local where possible. If you want stronger assurance, ask the skill author for canonical API docs or replace example endpoints with known official endpoints before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9774mgaxxr1z20wa47cvgx75s83p9r8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbc

Comments