Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bs Quick Compare
v1.0.2Period-over-period variance analysis on the Balance Sheet pulled from QuickBooks Online. Outputs a 4-tab Excel workbook: Summary, Detail, Flags, CDC Log. Cov...
⭐ 0· 112·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (Balance Sheet variance analysis from QuickBooks Online) legitimately requires QBO credentials and a client library. However the registry metadata lists no required environment variables or binaries, and the package contains no code files. The instructions reference a local script path (scripts/pipelines/bs-quick-compare.py) and a Node.js QBO client — neither the script nor any install steps or credential declarations are bundled. This mismatch suggests the skill as published is incomplete or misdescribed.
Instruction Scope
SKILL.md tells the agent/user to run a local Python script, to use a Node.js QBO client with a valid auth token, to read/write a cache at .cache/bs-quick-compare/{slug}.json and to write an Excel file to the Desktop (or --out). Those runtime actions access QuickBooks data and the local filesystem. While those actions match the stated task, the instructions expect files/credentials outside the published bundle and do not declare how the agent should obtain or store QBO secrets.
Install Mechanism
There is no install spec (instruction-only), which minimizes what the bundle writes to disk. However SKILL.md lists a Python dependency (openpyxl) and a Node.js QBO client; it does not provide commands to install the Node client or the Python script. That omission makes the skill unusable as-published and is an operational/integrity concern (missing code or missing provenance).
Credentials
The runtime clearly requires QuickBooks Online credentials (auth token) and a configured qbo-client, but the skill metadata declares no required environment variables or primary credential. Requiring financial-service credentials is proportionate to the purpose, but failing to declare them in the package is an incoherence that increases risk (the agent or instructions may ask you to provide secrets interactively or expect them to exist elsewhere).
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It writes a local cache under .cache/bs-quick-compare and outputs files to a user-specified directory (default ~/Desktop). Those are normal for a reporting pipeline and do not indicate elevated privileges or modification of other skills.
What to consider before installing
This package is incomplete or mispackaged. Before installing or running it: (1) ask the publisher for the missing scripts (scripts/pipelines/bs-quick-compare.py) and an explicit list of required environment variables (e.g., QBO client id/secret/refresh token or the qbo-client configuration); (2) do not paste QuickBooks credentials into an unverified prompt — verify the code that will use them; (3) if you must run it, review the Python script and any Node client code locally to ensure no unexpected network exfiltration or credential upload occurs; (4) consider running in an isolated environment (sandbox or VM) and point output/cache to a controlled directory rather than your Desktop; (5) if you cannot obtain the source or a trustworthy homepage, treat this skill as untrusted and avoid providing secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk974rtg9853bcb5mnj3yxqfwqn83c0ew
License
MIT-0
Free to use, modify, and redistribute. No attribution required.