ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Financial Ratio Analysis

v1.0.2

Compute and report 25+ financial ratios (profitability, liquidity, leverage, efficiency, growth) from QBO data. Produces a 9-tab Excel workbook with traffic-...

0· 124·1 current·1 all-time
by@samledger67-dotcom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is to compute ratios from QuickBooks Online (QBO) data and produce Excel reports, which normally requires QBO credentials and local pipeline code. The registry entry declares no QBO credentials, no config paths, and the package contains no scripts; this mismatch suggests missing dependencies or unstated assumptions about where code/credentials live.
!
Instruction Scope
SKILL.md instructs running local Python scripts (scripts/pipelines/financial-ratios.py), reading CLIENT_CONFIGS and client SOP files, and writing Excel output to ~/Desktop and CDC logs. Those instructions reference filesystem paths and client config files that are not declared in the skill metadata and there are no bundled code files — the runtime scope is underspecified and could cause the agent to search for sensitive files or depend on external skills/infrastructure.
Install Mechanism
No install spec and no code files are included (instruction-only). This minimizes direct installation risk since nothing is downloaded or written by an installer, but shifts risk to whatever runtime environment or external scripts the instructions expect to find.
!
Credentials
To access QBO and produce the described outputs the skill would typically require API credentials (OAuth tokens or API keys) and access to client SOP/config files; none are declared. The absence of declared env vars or config path requirements is disproportionate to the skill's needs and makes it unclear where sensitive credentials must be provided or how they are protected.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request persistent installation or claim to modify other skills or system-wide settings.
What to consider before installing
This skill's README tells the agent to run local Python pipeline scripts and read client SOP/config files, but the package contains no scripts and declares no QuickBooks credentials or config paths. Before installing or enabling it, ask the publisher: (1) where are the pipeline scripts (provide code or a trusted install method)? (2) how does it obtain QBO data — which credentials or integration does it use and where are they stored? (3) what filesystem paths (SOP/client configs) will it read or write? If you must test it, run it in an isolated environment or sandbox, and require explicit, least-privilege credentials (not broad system access). Do not provide production QBO credentials or sensitive client SOP files until you can inspect the actual code and confirm how secrets are used and stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734wzwbv340ke9tgfnp89z5983cr8r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments