Skillv1.0.0

ClawScan security

GST + UPI Reconciliation Copilot (India) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 7:52 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it performs local CSV-based GST vs UPI reconciliation with no network calls, no credential requests, and no install steps.
Guidance: This skill appears coherent and operates entirely on local CSV files (GST invoices + UPI statements) and writes reconciliation files locally — there are no network calls or secret requirements. Before running: 1) Confirm your input CSVs match the expected columns (see references/csv-schemas.md). 2) Choose an output prefix path you control to avoid overwriting important files. 3) Note the implementation detail that missing UPI status defaults to 'success' — this can cause rows with no explicit status to be treated as matchable; if your UPI export uses empty status for failed rows, double-check results. 4) Inspect the generated *_summary.json and unmatched CSVs before taking action or sharing sensitive accounting data. If you want stricter handling of UPI status or different token-extraction behavior, review or modify scripts/reconcile_gst_upi.py before use.

Review Dimensions

Purpose & Capability: okName/description match the provided assets: a reconciliation script plus CSV schema and runtime instructions. The required resources (two CSV inputs and an output prefix) are exactly what the task needs; there are no unrelated binaries, credentials, or config paths requested.
Instruction Scope: noteSKILL.md limits actions to validating CSVs, running the included Python script, and returning generated file paths/summary. The code only reads the provided CSVs and writes reconciliation files locally (no network I/O). One small behavior mismatch to be aware of: map_upi() defaults missing UPI status to 'success' (normalize_str(r.get('status') or 'success')), which could cause rows with missing status to be treated as eligible for matching despite SKILL.md's emphasis on matching only explicit success-like statuses. Also the script will write files at whatever output prefix you supply — review paths to avoid accidental overwrites.
Install Mechanism: okInstruction-only skill with a bundled Python script; there is no install spec, no downloads, and no package installation. Risk surface is limited to running the provided script with local inputs.
Credentials: okNo environment variables, credentials, or external configuration paths are requested. The script operates purely on files supplied by the user.
Persistence & Privilege: okSkill is not marked always:true and does not request persistent system changes or modify other skills. It writes output CSV/JSON files to user-specified locations only.