ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PL Report Generator

v1.0.0

Generate automated financial and business reports with PDF output, chart creation, and distribution. Use when: (1) producing recurring financial reports (P&L...

0· 188·0 current·0 all-time
by@samledger67-dotcom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes extracting data, running Python processing scripts, generating charts with matplotlib, rendering PDFs, and distributing reports. The registry metadata declares no required binaries, no install, and no credentials. Running the provided examples requires Python, matplotlib, numpy, a CSV/SQLite client, and credentials or CLIs for Google Sheets/QuickBooks/email/IM — those are not declared, which is an incoherence between stated purpose and listed requirements.
!
Instruction Scope
The instructions explicitly tell the agent to read local financial files (reports/raw/...), run sqlite3 queries, call a Google Sheets CLI, and ultimately distribute reports via email/messaging. They reference other skills (QBO) and external endpoints implicitly but do not constrain or document which credentials or endpoints will be used. This grants broad discretion to access and transmit sensitive financial data without declared boundaries.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain risk. However, the skill includes executable examples (bash, python) that require specific runtimes and libraries; those dependencies are not documented or installed by the skill, creating an operational gap the integrator must address.
!
Credentials
The skill declares no required environment variables or credentials, yet the workflow implies need for API keys/credentials for QuickBooks/Google Sheets, email/SMTP or messaging tokens, and access to local file paths containing sensitive P&L data. Absence of declared credentials is disproportionate to the actions the skill instructs it to perform.
Persistence & Privilege
The skill does not request always-on presence (always:false) and does not appear to modify other skills or system-wide settings. Autonomous invocation is permitted by default but is not combined with other high privileges here.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found nothing to analyze because this is an instruction-only skill with no code files. That is expected, but absence of findings does not mean the instructions are complete or safe.
What to consider before installing
This skill's instructions look like a workable report pipeline, but they omit critical operational details. Before installing or running it, ask the provider for: (1) a full list of required runtimes and libraries (Python, matplotlib, numpy, sqlite3, any CLI tools), (2) the exact credentials or auth flows used for Google Sheets / QuickBooks / email / messaging, and (3) where PDFs and raw financial files will be stored and who can access them. Only run the skill in a controlled environment (non-production) until you confirm dependency and credential handling. If you cannot get that information, treat the skill as risky for sensitive financial data and prefer a vetted implementation or a skill that declares explicit install and credential requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dnr4rn0nmx9pb4qtm1rq03x82z1g8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments