Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Client Dashboard
v1.0.2Generates a client-facing executive KPI dashboard from QuickBooks Online data. Produces an Excel workbook with traffic-light scoring, 6-month trend sparkline...
⭐ 0· 120·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to connect to QuickBooks Online (QBO) and produce a KPI workbook, which legitimately requires QBO credentials or an authenticated client. The SKILL.md references 'Node.js qbo-client must be authenticated for the target slug' but the package requests no environment variables, primary credential, or config paths. That mismatch (a QBO-integrating pipeline that doesn't declare how authentication is provided) is unexplained and concerning.
Instruction Scope
The instructions are detailed and scoped to generating Excel reports, manipulating a local cache (.cache/client-dashboard/{slug}.json), and editing an in-script CLIENT_CONFIGS dictionary. They do not instruct reading unrelated system files or sending data to unexpected endpoints. However, they assume an authenticated 'qbo-client' and local script edits — the agent will run a Python pipeline that could access any files accessible to the agent, so you should inspect the pipeline code before running.
Install Mechanism
This is an instruction-only skill with no install spec and no code files included in the package. That minimizes disk-write risk from the skill bundle itself (no remote downloads), but it does rely on external tooling (Python openpyxl and a Node qbo-client) which must already be present.
Credentials
No environment variables or credentials are declared even though QBO access is central to the skill. The SKILL.md expects the Node qbo-client to be 'authenticated' for the slug — it's unclear whether authentication is expected to live in environment variables, local config files, or a system-level credential store. This lack of declared credential requirements is a proportionality and transparency problem.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false). It writes a local cache under .cache/client-dashboard and expects output to a user directory (default ~/Desktop), which is reasonable for a reporting pipeline. Nothing indicates modification of other skills or global agent settings.
What to consider before installing
Do not run this pipeline blindly. Before installing or invoking: 1) Ask the publisher to explain exactly how QBO authentication is provided (which env vars, config files, or system integrations are required). 2) Obtain and inspect the referenced script (scripts/pipelines/client-dashboard.py) to verify it does only the expected QBO API calls and file writes and does not exfiltrate data to unknown endpoints. 3) Check where CLIENT_CONFIGS and benchmarks are stored to ensure no secrets are hard-coded. 4) Run the script in a sandbox or with test/sandbox QBO credentials first. 5) If the author cannot provide source or clear auth instructions, treat the skill as untrusted. Providing the actual pipeline code or a clear auth flow would raise my confidence and could change this assessment to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97e80epk090dqtaaghtbh2pnd83drwx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.