Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SCF Quick Compare
v1.0.2Period-over-period variance analysis on the Statement of Cash Flows pulled from QuickBooks Online. Outputs a 4-tab Excel workbook: Summary, Detail, Flags, CD...
⭐ 0· 117·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (SCF variance analysis from QuickBooks Online) reasonably requires QBO credentials and code to call the QBO API and produce Excel output. However, the skill advertises a Python script path but also says it needs a 'Node.js QBO client with valid auth token' — mixing runtimes. The registry metadata also declares no required env vars or credentials despite repeatedly saying 'QBO credentials configured' are required. These mismatches are not proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs running scripts/pipelines/scf-quick-compare.py, uses a QBO auth token, and reads/writes local cache (.cache/scf-quick-compare/{slug}.json) and defaults to saving to the user's Desktop. There are no instructions explaining where QBO credentials/tokens live or how they are supplied, and the runtime described (Python script calling a Node client) is incoherent. Instructions do not ask for unrelated system data, but the missing detail about credential handling and files is problematic.
Install Mechanism
This is instruction-only with no install spec — lower surface risk in that nothing is automatically downloaded. However, the docs claim 'pip install openpyxl (already installed in workspace)' and require a Node.js QBO client but provide no install instructions or package names. The absence of shipped code means the described script isn't present in the package, which is an inconsistency (either missing files or inaccurate documentation).
Credentials
The skill clearly needs QuickBooks Online credentials/tokens to function, but the registry lists no required env vars, primary credential, or config paths. Requesting access to QBO (sensitive financial data) without declaring how credentials are provided is disproportionate and opaque. The skill also writes a local cache and outputs to Desktop, which are reasonable but should be documented.
Persistence & Privilege
always:false and no special privileges — normal. The skill will create a local cache (.cache/scf-quick-compare/{slug}.json) and write output spreadsheets to the Desktop or --out directory. This local persistence is expected for a reporting tool but should be made explicit in install/run docs and permission reviews.
What to consider before installing
Do not install or run this skill until the author clarifies and/or provides the missing pieces. Specifically: 1) Ask for the actual code files (scripts/pipelines/scf-quick-compare.py and any Node client) — the package currently contains only SKILL.md. 2) Ask how QBO credentials/tokens are supplied (which env vars or config file) and never provide production QBO credentials until you can review the code. 3) Clarify the runtime: is this a Python script, a Node program, or a hybrid? Provide install steps for Node packages and Python deps. 4) Verify where outputs and caches are written (defaults to Desktop and .cache) and consider running first in a sandboxed environment or with QBO sandbox credentials. 5) If the author cannot provide source or precise credential handling, treat this as untrusted: avoid giving real QBO tokens and prefer alternatives (a vetted plugin, sandbox credentials, or manual export/import).Like a lobster shell, security has layers — review code before you run it.
latestvk979mh0kp3d346ypg38ah74q1s83chcj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.