ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Payroll GL Reconciliation

v1.0.2

Reconcile QuickBooks Online payroll GL accounts against payroll provider reports (Gusto, ADP, Paychex) across 12 categories. Produces an 8-tab Excel workbook...

0· 124·1 current·1 all-time
by@samledger67-dotcom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says it reconciles QBO GL accounts (pulls GL data) but the skill declares no QuickBooks/Intuit credentials, API config, or primary credential. It also references a script path (scripts/pipelines/payroll-reconciliation.py) that is not present in the package, so the claimed capability cannot be verified from the provided files.
!
Instruction Scope
SKILL.md instructs running a local Python script with paths to payroll CSVs and optional QBO pulls; this implies reading arbitrary local files (~/Downloads, --out dirs) and contacting QBO, but the instructions do not explain how to authenticate to QBO or where the script comes from. The agent would be asked to access sensitive payroll files without explicit credential/config guidance.
Install Mechanism
No install spec and no code files — lowest install risk. However, because the skill references a local script that isn't included, it's unclear whether an external script is expected to be present from another repository.
!
Credentials
The skill requests no environment variables yet describes functionality (QBO GL pull, sandbox flag) that normally requires API credentials, OAuth tokens, or client IDs. The absence of declared credentials is disproportionate to the stated integration needs.
Persistence & Privilege
The skill does not request always: true and has no install actions that modify agent-wide config. It enables autonomous invocation by default (normal), but that combined with unclear credential handling increases risk if the agent is allowed to run arbitrary local scripts.
What to consider before installing
This skill is suspicious because it promises QBO integration but provides no code, no credentials, and no explanation of how to authenticate. Before installing or running it: (1) Ask the publisher for the full source repository or the missing script (scripts/pipelines/payroll-reconciliation.py) and review it locally for network calls and credential usage. (2) Confirm how QuickBooks authentication is handled (which env vars or OAuth flow) and never supply long-lived credentials to an unverified skill. (3) If you only want provider-side analysis, use the --skip-gl mode and run the script locally after you review it. (4) If you cannot obtain the script or clear auth instructions, do not run this skill against real payroll data or production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk972rydk8e1yt2v66rypkcf3qh83c5hx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments