Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Month End Close
v1.0.2Orchestrate and validate the full month-end close for a QBO client. Reads client SOP, runs automated close checks, scores each item, proposes journal entries...
⭐ 0· 167·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes an automated QBO month-end close pipeline (calls a Python script, runs QBO reports, reads client SOPs, writes Excel and cache files). However, the skill package contains no code, no install spec, no required binaries, and declares no QBO credentials or CLI as required — all of which would normally be necessary for the stated functionality. This is an incoherence: either the instructions assume an external repo/environment, or the package is incomplete or mispackaged.
Instruction Scope
Runtime instructions tell the agent to run `python3 scripts/pipelines/month-end-close.py` and to call `qbo report tb`, read local files at clients/{slug}/sop.md, and read/write cache files under .cache and an Excel workbook to ~/Desktop. Those actions involve accessing local project files and an external QBO integration. The SKILL.md gives the agent broad authority to read local SOPs and cache and to invoke a QBO CLI, but the skill does not declare or provide those artifacts, nor does it limit what else the script might do — creating a scope mismatch and potential surprise if the referenced script were present.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). However, it references a local Python script and a QBO CLI. Because no code or install instructions are included, the skill either expects a preexisting environment (undeclared) or is incomplete. The lack of an install mechanism is coherent from a safety perspective but increases operational ambiguity.
Credentials
No environment variables, credentials, or config paths are declared, yet the workflow clearly needs QuickBooks Online credentials or a configured QBO CLI and access to client SOP files. The absence of declared credentials is disproportionate to the described integration and leaves unclear where/how the skill will obtain access to QBO data.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. It writes cache and workbook files in user-local paths (.cache and ~/Desktop) which is expected for this kind of tool. The skill does not request system-wide or cross-skill configuration changes in the provided instructions.
What to consider before installing
This skill looks like a wrapper for an existing month-end pipeline, but the package is incomplete or mispackaged. Before installing or running: (1) Verify the skill's source and obtain the referenced repository (scripts/pipelines/month-end-close.py) — do not run unknown scripts. (2) Confirm where QBO credentials/QBO CLI come from; prefer least-privilege read-only credentials or a sandbox QBO account for testing. (3) Inspect the referenced script(s) to see exactly what files and endpoints they read/write, and whether they send data externally. (4) Run the pipeline in an isolated environment (VM/container) and with non-production credentials first. (5) If you intend to allow the skill to access client SOPs or desktops, ensure those paths are expected and do not contain unrelated secrets. If you cannot obtain the upstream code or a trustworthy repo/source, treat the skill as incomplete and avoid enabling it.Like a lobster shell, security has layers — review code before you run it.
latestvk972035tp4pe1jmkw9ghmvchp983cyt2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📅 Clawdis